Professional Documents
Culture Documents
Infrastructura Seguridad
Infrastructura Seguridad
Infrastructura Seguridad
Infrastructure
Security
International Conference, InfraSec 2002
Bristol, UK, October 1-3, 2002
Proceedings
13
Series Editors
George Davida
University of Wisconsin-Milwaukee
Milwaukee, WI 53201, USA
E-mail: davida@cs.uwm.edu
Yair Frankel
TechTegrity LLC
P.O. Box 2125, Westfield, NJ 07091, USA
E-mail: yfrankel@cryptographers.com
Owen Rees
Hewlett-Packard Laboratories
Filton Road, Stoke Gifford, Bristol, BS34 8QZ, UK
E-mail: owen.rees@hp.com
CR Subject Classification (1998): D.4.6, C.2.9, D.2, E.3, H.2.0, K.4.4, K.6.5
ISSN 0302-9743
ISBN 3-540-44309-6 Springer-Verlag Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are
liable for prosecution under the German Copyright Law.
Springer-Verlag Berlin Heidelberg New York
a member of BertelsmannSpringer Science+Business Media GmbH
http://www.springer.de
This conference program included two keynote speakers: Bob Evans (Office of the
e-Envoy) and Vic Maconachy (Department of Defense). The program committee
considered 44 submissions of which 23 papers were accepted. Each submitted paper
was reviewed by a minimum of three referees. These proceedings contain revised
versions of the accepted papers. Revisions were not checked and the authors bear full
responsibility for the content of their papers.
We thank all the authors who submitted to the conference, without which it would
not have been successful. Our thanks to the program committee and all reviewers.
Sponsored by
Datacard Group
Hewlett-Packard Laboratories
Conference President
Graham Higgins, Datacard Group
General Chair
Susan Thompson, Datacard Group
Program Chair
George Davida, University of Wisconsin-Milwaukee
Program Co-chairs
Yair Frankel, TechTegrity LLC
Owen Rees, Hewlett-Packard Laboratories
Program Committee
Biometrics
Biometric Authentication in Infrastructure Security . . . . . . . . . . . . . . . . . . . . 1
John Armington, Purdy Ho, Paul Koznek, Richard Martinez
Analysis Process
How to Buy Better Testing (Using Competition to Get
the Most Security and Robustness for Your Dollar) . . . . . . . . . . . . . . . . . . . . . 73
Stuart Schechter
Mobile Networks
Authentication and Authorization of Mobile Clients in Public Data
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Prakash Reddy, Venky Krishnan, Kan Zhang, Devaraj Das
A Contemporary Foreword on GSM Security . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Paulo S. Pagliusi
X Table of Contents
System Design
DPS: An Architectural Style for Development
of Secure Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Pascal Fenkam, Harald Gall, Mehdi Jazayeri, Christopher Kruegel
A New Infrastructure for User Tracking Prevention and Privacy
Protection in Internet Shopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Matthias Enzmann, Thomas Kunz, Markus Schneider
Formal Methods
Authenticity and Provability – A Formal Framework . . . . . . . . . . . . . . . . . . . 227
Sigrid Gürgens, Peter Ochsenschläger, Carsten Rudolph
Protocol Engineering Applied to Formal Analysis of Security Systems . . . . 246
Javier Lopez, Juan J. Ortega, Jose M. Troya
Cryptographic Techniques
Applications of Multiple Trust Authorities in Pairing Based
Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
L. Chen, K. Harrison, D. Soldera, N.P. Smart
Networks
A Practical Distributed Authorization System for GARA . . . . . . . . . . . . . . . 314
William A. Adamson, Olga Kornievskaia
Design of a VPN Software Solution Integrating TCP and UDP Services . . . 325
Javier Lopez, Jose A. Montenegro, Rodrigo Roman, Jorge Davila
For many years, the use of biometrics to identify a person or verify one’s iden-
tity was mainly used in government installations and Hollywood movies. With
the introduction of lower cost biometric devices the technology is moving into
mainstream use. MIT Technology Review Magazine recently listed biometrics as
one of the “top ten emerging technologies that will change the world” [1].
Biometric authentication works at the human to machine interface, as one
component of a system built of secure and trusted components. To work, it must
1) verify that the biometric came from the person at the time of verification and
2) that it matches a trusted record of that person’s biometric [2].
Biometrics is used to best advantage as one factor in a multi-factor authen-
tication system. It is one of four possible factors that include: what you know
(password/PIN); what you have (smartcard/ token card); where you are (GPS
locator); and what you are (biometrics). To increase security, many system de-
signers require authentication from two or more of these factors. For example
the ATM requires a difficult-to-duplicate card and a secret PIN.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 1–18, 2002.
c Springer-Verlag Berlin Heidelberg 2002
2 J. Armington et al.
1.3 Standards
Although forensic biometric standards such as AFIS (Automated Fingerprint
Identification Standards) have existed for decades, recent adoption of biometric
standards by mainstream industry standards organizations, and the emergence
of organizations dedicated to the commercial biometrics industry such as the
BioAPI Consortium [4] and the IBIA (International Biometrics Industry As-
sociation) [5] are evidence that the industry is maturing. BioAPI is intended
to create a standard interface between biometric sensing devices and software,
allowing some degree of interchangeability between devices. Most of the bio-
metrics industry now participates in the BioAPI standard. Microsoft, a notable
exception, has adopted a proprietary biometric API [6].
Biometric Authentication in Infrastructure Security 3
1.4 Testing
Because vendors tend to over-rate the performance of their technologies, often
quoting test results that favor their products, independent test results and an
understanding of testing methods and criteria should be taken into consideration
when developing a biometric system. Independent testing laboratories involved
in biometric device testing include the Biometrics Working Group (BWG) of the
National Institute of Standards and Technology (NIST) Laboratories, and the
National Physical Laboratory (UK) for the Communications Electronics Security
Group (CESG).
The Center for Mathematics and Scientific Computing, National Physical
Laboratory for the Communications Electronics Security Group (CESG) com-
pleted a broad-based independent test of multiple biometric technologies in
March 2001. Seven biometric systems were selected for testing. These systems
include 2 fingerprint systems (one using optical fingerprint capture, the other us-
ing a chip sensor), a face recognition system, a hand recognition system, an iris
verification system, a vein recognition system, and a speaker (voice) verification
system. All tests were conducted in a normal office environment.
For each system tested, a DET (Detection Error Tradeoff) curve was plotted
to show the performance relative to different detection thresholds. The prob-
ability of False Rejection (FR) and the probability of False Acceptance (FA)
were computed empirically for each threshold. A range of detection thresholds
was swept over the curves. Each point on the curve represents the FR and the
FA of a particular threshold. By adjusting the threshold, the tradeoff between
FR and FA can be achieved and thus the performance of the system can be
influenced. In general, the system is adjusted to have a low FA rate, e.g. if the
decision threshold is raised, the FA rate will decrease, and vice versa. A common
statistic quoted by vendors is called the Equal Error Rate, or EER, which is sim-
ply that point at which the FA rate equals the FR rate, but has little meaning
without the other points on the curve. It is also important to consider how the
test accounts for those who cannot use the system, called the Failure to Enroll
rate. Are these counted in the FR rate, or simply ignored? How does a system
accommodate these exceptions? The iris scan system showed significantly su-
perior performance over all other types in this test. Unfortunately, because the
threshold could not be varied, it was impossible to form a true DET curve. For
the full report, see [8].
4 J. Armington et al.
Security technology must always be concerned with subversion via false repre-
sentation of digital information or data streams, commonly known as ‘spoofing’,
and biometric security systems must pay particular attention to such concerns.
Once a biometric has been converted to a stream of bits, it could be inserted
into a legitimate system or manipulated to subvert the system’s purpose. Bio-
metric authentication of remote users by remote devices is especially susceptible
to such attack by unscrupulous persons wishing to impersonate a legitimate
user. A well-designed system will take advantage of digital signatures, tamper
resistant packaging, and other techniques known in the security industry to in-
crease trustworthiness of the overall system. Trust placed in a poorly designed
system may lead to security breaches that are difficult or impossible to detect.
Standards being developed by the Trusted Computing Platform Association, or
TCPA hold promise for enabling solutions to these trust issues in the very near
future by providing a means for computing devices from smartcards, to PCs to
servers, to measure and communicate their level of trustworthiness [9]. Specific
attacks and countermeasures will be addressed by technology below.
2 Technologies
– Text-dependent/fixed-phrase
– Text-independent/unconstrained
– Text-dependent/prompted-phrase
Biometric Authentication in Infrastructure Security 5
which are rated below based on security, convenience, and implementation com-
plexity.
Text-dependent/fixed-phrase: Users have to utter exactly the same
phrase they did during enrollment and the system matches the two utterances.
Advantages include simple enrollment and verification processes, and a lower
error rate than the other two approaches, in general. However, this approach
is subject to attack by replay of recorded speech or a template stolen from the
database, and also requires memorization of a passphrase. An example of this
kind of system is developed by Nuance [12], which verifies speakers by having
them to say their phone numbers.
Text-independent/unconstrained: It verifies the speaker without knowl-
edge of what is being said. Verification is based on specific acoustic features of
the vocal tract; users can say anything they want, giving it an advantage in
convenience. Also, there is no recorded passphrase that can be stolen from a
database. Disadvantages are that it requires more training data and the veri-
fication is more computationally intensive. It is also subject to a pre-recorded
speech attack. Systems developed by Ensigma [13] and Persay [14] are using this
approach.
Text-dependent/prompted-phrase: Users are prompted to repeat a one-
time passcode (OTP)1 or passphrase in real time, such that they don’t need
to remember passwords. The ASR module matches the passphrase with the
utterance from the user, while the SV module verifies the user’s voice. This
approach ensures that the user is accessing in real time, countering the attack
by replay of recorded speech and a stolen template. This approach can also
be extensible to dual-factor authentication by providing a secure out-of-band
prompting mechanism2 . However, the major drawback is that a more complex
infrastructure and a longer enrollment are required. VeriVoice’s system [17] uses
in-band OTP prompting.
Over the past 20 years numerous face recognition papers have been published
in the computer vision community; a survey can be found in [20]. Due to recent
events, automatic face recognition systems received a lot of media attention and
became very popular in military and aviation security. The two main commercial
face recognition system makers: Viisage [21] and Visionics [22], both claimed that
their systems could pick out terrorists and criminals from a scene as long as they
are in the law enforcement database.
The Viisage system was used in the Super Bowl 2000. An image of each spec-
tator was taken at a checkpoint and compared to the law enforcement database
of known criminals and terrorists. Its system based on an algorithm called Eigen-
face [23], which was developed in the MIT Media Lab. This algorithm works ex-
tremely well on frontal faces. The Visionics surveillance system used in Tampa,
FL works different from the Viisage system. An algorithm called Local Feature
Analysis (LFA) [24], developed by its CEO is used. Visionics [25] claimed that
LFA is better than Eigenface because it is relatively less sensitive to changes in
expression, including blinking, frowning, and smiling.
Usability. Visionics claimed that [25] for head rotation less than 10-15 degrees,
there is no degradation in performance. From 15 to 35 degrees, the face recog-
nition discrimination power decreases. Face rotations beyond 35 degrees do not
match well to frontal faces with its current LFA technology. There are also 3
major drawbacks of this system: 1. Glare on eyeglasses that obstruct the eyes.
2. Long hair obscuring the central part of the face. 3. Poor lighting would cause
the face to be overexposed and low contrast. Also, these systems are mostly
capable of recognizing frontal faces, which might be adequate in low to medium
level access control applications where users are consistent from session to ses-
sion. However, in surveillance applications where users are often not aware of
the task, it is important for the system to handle faces rotated in depth. Other
challenges included the difficulty to create a database that contains all the ter-
rorists. Thus face recognition might not be a feasible solution for surveillance
purpose.
Nevertheless, face recognition is the most non-intrusive and the easiest-to-
enroll biometric method for identification. It is also considered to be one of the
physical characteristics that is constantly exposed to the public. Thus, capturing
face images, as opposed to scanning fingers/ irises, will not violate the Bill of
Rights and will not infringe privacy. Therefore, face recognition systems are good
for providing simple and convenient ways of identifying users in low to medium
security applications.
Attacks and Countermeasures. There are several ways to defeat finger scan
systems, including template replay, last login, adhesive tape and fingerprint repli-
cas. A recent replica attack using gelatin, A.K.A. the Gummy attack [27], was
used to circumvent a variety of optical and capacitive devices. Since gelatin is
similar in electrical characteristics to human skin, some devices could not differ-
entiate between the enrolled fingerprint and the gummy replica. Some vendors
incorporate countermeasures to alleviate the possibility of these attacks. A newer
type of silicon device is now available that reads the subdermal layer of skin by
radiating a small electrical signal injected into the finger. Other vendors utilize
”liveness tests” taking several readings of a fingerprint to detect minute differ-
ences. If the readings are exactly the same for each scan, the fingerprint is most
8 J. Armington et al.
likely a static replica. Some systems, such as those used in military applications,
incorporate a duress mode, in which a hostage user will present a different finger
to make the system appear to work normally but will send a silent signal to a
monitoring station [28]. Additional attacks and countermeasures, not specific to
finger scan, are mentioned in section 1.5.
use the system at all because, after five tries, they were not able to successfully
enroll. Testing was done using the Iridian Authenticam and the standalone
authentication demo software V2.0 101987SW Rev A (July 6, 2001) from Iridian
Technologies [35].
– 15 users reported feeling like there was something done to their eyes after
enrolling and authenticating. (Psychological effect?)
– About half of the people tested needed at least 2 tries to enroll successfully.
With 17 people who had to try 3 or more times.
– In order to get people to enroll who tried more than 3 times, they had to
open their eyes very wide and 4 people had to hold their eyes open with
their fingers.
– The angle of the camera seemed to have an effect on authentication.
– 8 people commented that the device was still too large and cumbersome to
use on the road. (Another device to carry and set up at remote locations)
3 Cultural Issues
Biometric cultural issues involve the way people think about biometrics in vari-
ous areas include religious objections, health concerns, and the legal aspects of
biometrics. Personal privacy is a central issue of the use of biometric technology
Biometric Authentication in Infrastructure Security 11
and will be used as a framework for much of this discussion. Loss of privacy
refers to the loss of control of the information about the individual to whom the
information pertains. The right to privacy has appeared as a legal right since
2000 years ago in the Jewish laws: “If one man builds a wall opposite his fel-
low’s windows, whether it is higher or lower than them . . . it may not be within
four cubits. If higher, it must be four cubits higher, for privacy’s sake.” [36].
However, privacy rights are not always attained in modern society, or protected
by modern governments. The right to privacy is not explicitly mentioned in the
US Constitution, but is implied in Amendments 1, 3, 4, 5, 9, and 14. European
Commission’s Directive on Data Protection, which went into effect in October
1998, provides more comprehensive protection, but only to citizens of EU na-
tions. The international community recognizes privacy as a basic human right.
Article 12 of the 1948 Universal Declaration of Human Rights states:
The two main types of personal privacy, information privacy and physical privacy
will be used to discuss in what situations biometrics may be used to help or
hinder personal privacy [38].
Function creep. Function creep is defined as using biometric data for purposes
beyond that originally authorized, in violation of information privacy. Many are
concerned that their biometric information may be used for other purposes and
without their explicit permission. Preventing such abuse of private information
would require 1) explicit approval by the information owner for collection, stor-
age, and specific use, 2) audit practices that track the use of the information
and the timeframe for retaining the information, and 3) criminal penalties for
unauthorized disclosure or use of the information.
It should also be noted that most European countries’ privacy policies have
been strongly influenced by the Guidelines on the Protection and Privacy of
Transborder Flows of Personal Data, published by the Organization for Eco-
nomic Cooperation and Development (OECD) in 1980. The data privacy prin-
ciples set out in the Guideline are consistent with those stated by the IBIA and
general best practices outlined above.
[21] and Visionics [22], were employed by the law enforcement to identify ter-
rorists and criminals in the Super Bowl Stadium and in Tampa, FL. It was
viewed by some people as a violation of the fourth Amendment and considered
an “unreasonable” search. The Supreme Court explained that government ac-
tion constitutes a search when it invades a person’s reasonable expectation of
privacy. This reasonable expectation of privacy does not include physical charac-
teristics that are constantly exposed to the public, such as one’s facial features,
voice, and handwriting. Thus, scanning the spectators’ facial characteristics at
the Super Bowl did not constitute an unreasonable search by the government.
However, it does violate the Privacy Principles set by the IBIA and the OECD.
The low accuracy of face recognition applications and other biometrics can
easily create situations in which innocent people are recognized to be criminals.
Richard Lawrence Sklar, a political science professor at UCLA was mistaken to
be a fugitive and arrested 3 times in 12 years. On one arrest, a customs official
confirmed that his birth date, height, weight, eye, and hair color, were the same
as the fugitive. He was strip searched, moved from one holding cell to another,
and handcuffed to several violent offenders [39].
Canada’s Personal Information Protection and Electronic Documents
(PIPED) Act makes it illegal for any private company to collect personal infor-
mation on an individual without his/her expressed consent or a warrant. Thus,
a person walking into a bank, can request that the cameras be turned off, be-
cause it violates his/her privacy rights. It would be against the law for the bank
managers to refuse to do so. This act will allow a security video recording to be
handed over to police if it shows evidence of criminal activity. Of course, if the
camera is shut off and a robbery is committed, there will be no proof to hand
over. The act does not apply to activities of the Canadian government. In the
first decision under the act, which came into effect Jan. 1, 2001, federal Privacy
Commissioner George Radwanski told a Yellowknife security company that the
installation of street surveillance cameras is unlawful [40].
4 Recommendations
The following recommendations are drawn from the investigation, research, and
analysis of Biometric Authentication technologies. This investigation was in-
Biometric Authentication in Infrastructure Security 15
References
1. “Emerging Technologies That Will Change the World,” MIT Technology Review,
January/February 2001,
http://www.technologyreview.com/articles/tr10 toc0101.asp.
2. B. Schneier, “Biometrics: Uses and Abuses,” Inside Risks 110, Communications
of the ACM, vol. 42, no. 8, August 1999,
http://www.counterpane.com/insiderisks1.html.
3. “International Biometric Group,”
http://www.biometricgroup.com/e/biometric market report.htm.
4. “BioAPI Consortium,” http://www.bioapi.org.
Biometric Authentication in Infrastructure Security 17
Luciano Rila
1 Introduction
Biometrics has been widely recognised as a powerful tool for problems requiring
personal identification. Most automated identity authentication systems in use
today rely on either the possession of a token (smartcard, USB token) or the
knowledge of a secret (password, PIN) to establish the identity of an individual.
The main problem with these traditional approaches to identity authentication is
that tokens or PIN/passwords can be lost, stolen, forgotten, misplaced, guessed,
or willingly given to an unauthorised person. Biometric authentication, on the
other hand, is based on either physiological features of the body (such as fin-
gerprint, hand geometry, and iris pattern) or behavioural characteristics of the
individual (such as voice prints and written signature) and therefore does not
suffer from the disadvantages of the more traditional methods.
Biometrics has the potential for increasing the security of authentication sys-
tems. In PIN/password-based authentication systems, the use of safe PINs and
passwords — i.e. long, complicated ones — is rarely enforced since such pass-
words are difficult to remember, and therefore users tend to write them down.
It has also been demonstrated that users may share a password or token when
working on a group task [1]. These practices significantly weaken the security of
the system. The very nature of the biometric methods overcomes such problems
since biometric authentication information cannot be transferred or shared and
is therefore a powerful weapon against repudiation.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 19–29, 2002.
c Springer-Verlag Berlin Heidelberg 2002
20 L. Rila
then transferred to the signal processing subsystem where the feature extrac-
tion takes place. The matching subsystem receives the extracted features from
the signal processing subsystem and retrieves the biometric reference template
associated with the claimed identity from the storage subsystem. The matching
subsystem then compares the submitted biometric sample with the reference
template yielding a score, which is a numeric value indicating how closely the
submitted sample and the reference template match. The decision subsystem
receives the score and, according to a confidence value based on security risks
and a decision-making policy, decides whether to accept the claimant or not.
The authentication decision is finally passed on to the application.
Extracted
Raw data features Template Storage
Data Matching
collection Signal
processing
Score
Application Decision
Authentication
decision
Note that these are logical modules, and therefore some systems may inte-
grate several of these components into one physical unit.
The biometric reference template is a crucial element in the biometric tech-
nology. A template is a small file containing distinguishing features of the user
derived from his/her biometric data. The process of collecting biometric data
from a user, and the subsequent processing and storing of their biometric ref-
erence template in the storage subsystem is known as enrolment. Subsequent
authentication sessions compare a live biometric sample provided by the user
with the user’s reference template generated by the system during the enrol-
ment procedure. Enrolment plays a critical role in the overall performance of a
biometric system, as we will discuss in Section 3.3.
The nature of biometric data is such that two different measurements of the
same biometric feature from the same person are very likely to be different. For
22 L. Rila
The false match rate (FMR) is the probability that an individual’s template will
incorrectly be considered a match for a different individual’s biometric sample.
The FMR can be regarded as a function of the tolerance threshold: the higher
the tolerance threshold, the lower the FMR. If the minimum degree of similarity
necessary for a match is set relatively high, a match between two different finger-
prints, however similar they are, becomes less likely. Conversely, if the tolerance
threshold is reduced, the FMR increases.
An impostor break-in is a particularly critical security issue in applications
such as access to weapons or to a bank safe. Also, for an emerging technology still
seeking public acceptance, solutions providing high security must be perceived
as not vulnerable to break-ins.
It is important to understand the difference between the false match rate and
the false acceptance rate. The false match rate is the probability of a false match
for a single comparison. The false acceptance rate is the probability that an
impostor is accepted by the system. Since, in general users are allowed a certain
number of attempts before being rejected by the system, the false acceptance rate
is likely to be larger than the FMR. An impostor may also be able to attempt
impersonating more than one valid user. Therefore the actual probability of
impostor break-in is higher than the FMR.
Denial of Access in Biometrics-Based Authentication Systems 23
The false non-match rate (FNMR) is the probability that a valid user’s biometric
will incorrectly be considered a non-match for his/her reference template. The
FNMR is therefore related to the issue of denial of access.
As with the FMR, the FNMR can be regarded as a function of the tolerance
threshold: the higher the tolerance threshold, the higher the FMR. Thus, if the
minimum degree of similarity necessary for a match is set relatively high, a valid
user may have difficulties in providing a sample of his/her biometric data that
matches so closely against his/her own reference template. Conversely, if the
tolerance threshold is reduced, the FNMR also decreases.
A false non-match occurs when there is not a sufficiently high similarity
between the user’s biometric sample and his/her reference template. This may
happen due to: changes in the user’s biometric data (fingerprints may vary due
to skin condition, ageing, injuries; voice prints may vary due to a sore throat,
emotional state.); change in the biometric data presentation (placing a finger in
a different position; speaking at a different volume or closer or further away from
the microphone); and/or changes in the environment (variations in humidity for
fingerprint recognition systems, background lighting for face-scan systems, or
ambient noise for voice-scan systems).
It is important to understand the difference between the false non-match rate
and the false rejection rate. The false non-match rate is the probability of a false
non-match for a single comparison. The false rejection rate is the probability
that a valid user is rejected by the system. Again users are generally allowed
more than one attempt before being rejected by the system, and so the false
rejection rate is typically lower than the false non-match rate.
Note that the FMR and the FNMR are inversely related. If an application
requires high security, setting the tolerance threshold too high may eliminate
the possibility of an impostor break-in but will result in an undesirably high
probability of denial of access. Conversely, if denial of access is to be avoided
by setting the tolerance threshold relatively low, the probability of an impos-
tor break-in increases. The choice of value for the tolerance threshold therefore
involves a trade-off between the two types of error and determines the security
and convenience of a biometrics-based authentication system.
The failure-to-enrol rate (FTER) represents the proportion of users from the to-
tal population for whom the system is unable to generate repeatable templates.
This will include those unable to present the required biometric feature, those
unable to provide sufficiently distinctive biometric data, and those unable to
match reliably against their template following an enrolment attempt. The de-
sign of the biometric solution may also make it difficult for some users to provide
consistent biometric data.
Failure-to-enrol will necessitate the use of an alternative authentication
method for those users unable to enrol. One possible reason for replacing
24 L. Rila
5 Authentication Decision-Making
Multibiometric systems, i.e. systems employing more than one biometric tech-
nology to establish the identity of an individual, seek to improve the overall
performance of the biometric system by checking multiple evidences of the same
identity [9,10,11]. As pointed out in [12], multibiometrics can reduce the proba-
bility of denial of access at the expense of an increase in the FMR. Multibiometric
systems also suffer from other major drawbacks. Use of multiple biometric mea-
surement devices will certainly impose significant additional costs, will result in
more complex user-machine interfaces, and will impose additional management
complexity.
Another possible means of reducing the impact of denial of access is to con-
sider more elaborate forms of authentication decision-making. It is important to
observe that the authentication decision does not depend only on the FNMR. Au-
thentication decision-making may involve use of one or more other approaches,
and we now consider ways in which a more complex authentication decision-
making process can reduce the likelihood of denial of access.
Therefore, the use of a password strengthens the security of the system since
the combined FMR is lower than the FMR would be if the threshold was set
at the lower end of the inconclusive interval. Nevertheless, in the event of an
inconclusive matching outcome, the system is operating with a probability of
denial of access lower than that associated with a match outcome.
Depending on the application, successful authentication through an inconclu-
sive matching decision might involve only giving restricted access to the desired
resources.
The simplest decision policy for a biometric system that can be adopted is to
accept the user’s claim of identity if a match occurs and to reject the user if a
non-match occurs. Such a mode of operation relies on the matching of a single
biometric sample and may therefore produce unacceptable FMR and FNMR.
According to [7], most biometrics-based authentication systems allow the user
at least three attempts before rejecting the user. More generically, the system
accepts the user’s claim of identity if m out of n submitted samples match the
corresponding reference template.
Another possible authentication strategy is to allow the user to attempt
authentication using two or more biometric features. In this strategy, reference
templates for two or more biometric features, e.g. fingerprints from different
fingers or different voice passwords, are stored in the system. In order to be
authenticated, the user is required to submit two or more different fingerprints,
or two or more different voice passwords. The results of the different tests are
then combined for the system to achieve an authentication decision, much in the
same way as in multibiometric systems but employing only one type of biometric
measurement. The FNMR can be reduced if the biometric tests are combined
using an ‘OR’ operator. Note however that such a combination rule increases
the FMR.
Denial of Access in Biometrics-Based Authentication Systems 27
6 Conclusions
Biometrics has emerged as a powerful tool for automated identification systems,
overcoming the problems presented by the traditional methods. Unlike the tra-
28 L. Rila
References
1. A. Adams and M. A. Sasse,“Users are not the Enemy”, Communications of the
ACM, 42, no. 12, pp. 41–46, Dec. 1999.
2. J. L. Wayman, “Technical testing and evaluation of biometric identification de-
vices”, in Biometrics: Personal Identification in Networked Society, A. Jain, R.
Bolle, and S. Pankati (editors), Kluwer Academic Publishers, pp. 345–368, 1999.
Denial of Access in Biometrics-Based Authentication Systems 29
1 Introduction
Authentication and identification protocols to check users’ accesses to partially
shared or private resources are deep problems for computer scientists involved in
studies on data security. Several methods have been proposed in the recent years
but, among these, password-based access control strategies are still frequently
used for their simplicity.
A user, who wants to identify himself to a system, engages an interactive
identification protocol: First, the user types in his login name; then, the system
asks for the password, a secret word which proves the real identity of the user.
The system stores in a database a reference string encrypted using the password
as a key. So, when the user types in his password, the system re-encrypts the
reference string and compares it with the stored one. If they match, the access
is allowed; otherwise, it is refused. The scheme is supposed to be secure if the
user keeps secret his password.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 30–39, 2002.
c Springer-Verlag Berlin Heidelberg 2002
A Novel Approach to Proactive Password Checking 31
Previous works. The problem of using hard-to-guess passwords has been studied
in several papers. So far, four techniques [3,4] have been proposed to eliminate
easy-to-guess passwords, and the more promising seems to be the Proactive Pass-
word Checking approach.
A proactive password checker conceptually is a simple program. It holds
a list of easy-to-guess passwords that must be rejected. When the user wants
to change his password, it checks for membership in the list. If the password is
found, the substitution is refused and a short justification is given; otherwise, the
substitution is allowed. The philosophy these programs are based on is that the
user has the possibility to select a password but the system enables the change
only if it is a “non trivial” one. However, a straightforward implementation of
such a program is not suitable since the list can be very long and the time to
check membership can be high.
Various proactive password checkers that aim to reduce the time and space
requirements of this trivial approach have been proposed [10,11,5]. All these
models are an improvement upon the basic scheme. An interesting approach to
design a proactive password checker is the one applied in [1], and subsequently
improved in [6], where the problem of password classification is viewed as a Ma-
chine Learning Problem. The system, in a training phase, using dictionaries of
examples of easy and hard-to-guess passwords, acquires the knowledge to dis-
tinguish between them. This knowledge is represented by a decision tree that
is used afterwards by the checker to accept or refuse a password change. The
experimental results reported in [1,6] show a meaningful enhancement on the
error rates with respect to the previous solutions.
In this paper we introduce a new idea to proactive password checking: We use
a perceptron to distinguish easy-to-guess passwords from hard ones. During the
training phase, the perceptron learns the differences between “easy” and “hard”
by means of examples. Then, the perceptron is used in the testing phase to
decide on the membership of a password to one of the two classes. The technique
is promising since the checker shows small error rates, and requires very low
memory storage (in our prototype, only 40 bytes!). It is interesting to point
out that basically the perceptron codes some rules to classify passwords. Other
checker which implements a direct approach (i.e., a code checking with a series of
32 C. Blundo et al.
if-then-else statements a bunch of rules) requires non negligible time and memory
requirements. We obtain better performances evaluating a simple weighted sum
and using only 40 bytes. Hence, this approach is suitable for implementations
even on devices with very poor hardware facilities (i.e.,smart cards).
2 Mathematical Framework
|P|
2
|P|
E(FU ) = T =T . (1)
i=1
2
3 Pattern Recognition
vector onto the classification space, and usually defines a boundary among the
classes. If the discriminant function is a linear function, i.e., it defines a bound-
ary in the classification space that looks like an hyperplane, the classifier is said
linear. Of course, a linear classifier can be used if the classes themselves can
be separated by means of a straight line. When this happens, we say that the
problem is linearly separable.
As we will see later, the system we are looking for is a pattern recognition
system which takes as input words, extracts some features from them, and then
outputs a decision on their membership to the easy-to-guess class or the hard
one. To classify, our device uses a perceptron which realizes a linear classifier.
This type of learning is called hebbian in honour to Donald Hebb, who proposed
in 1949 a similar rule starting from his studies on real neural systems.
It is well known (and not difficult to see) that the Perceptron implements a
linear classifier. Indeed, the weighted sum defines an hyperplane in the Cartesian
space. If the weighted sum of an input is greater than the threshold, then the
pattern belongs to the class on one side of the hyperplane, otherwise it is an
element of the class on the other one.
Intuitively, our problem is linear separable, i.e., easy-to-guess passwords and
hard ones present characteristics which permit the separation of the two classes
by means of a straight line. Under this hypothesis, we have designed the kernel
of the proactive password checker. The results obtained seem to confirm this
intuition.
A Novel Approach to Proactive Password Checking 35
4 The Checker
Many operating systems limit the length of the password. For example, Unix-
like operating systems work with passwords of length at most 8 characters. At
the same time, many others do not accept passwords with length less than 6
characters. For this reason, we have used, in the training and testing phases of
our experiments, dictionaries of hard-to-guess passwords by generating random
words with length ranging between 6 and 8 characters. Similarly, passwords
contained in the easy-to-guess dictionaries, collected from several sources, have
been truncated to the first eight characters.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
a b c d e f g h i j k l m n o p q r s t u v w x y z : ; < = > ? @ [ ] ˆ
_ ‘ ’ { | } ! " # $ % & ( ) * + , - . / ˜
The random selection has been done using the random() C-function. This func-
tion implements a non-linear pseudorandom generator that is assured to have a
long period.
Recall that, we have said before that a character is strong if it belongs to the
following set:
The dictionaries strong.1 and strong.2 have been constructed using the same
rule as the one used to construct strong.0 with additional constraints. More
precisely, each word in strong.1 has at least one strong character or at least two
characters must be digits. Similarly, each word in strong.2 contains at least two
strong characters or three digits. Intuitively, the “strength” of these dictionaries
increases from strong.0 to strong.2.
About the dictionaries of easy-to-guess passwords, the first one, weak, is com-
posed by words having length from 1 to 18, recovered from several sources and
books, truncated to the first 8 characters. All the passwords in this dictionary
are composed by lower case letters. The dictionary noise.0.x, for x = 1, 2, is
A Novel Approach to Proactive Password Checking 37
The Intuition Behind the Experiments. The training phase is a critical step:
Based on the easy and hard-to-guess examples presented, the perceptron learns
different notions of easy and hard. Hence, if the training set is not accurately
chosen, the perceptron can give poor performances. The first experiment we have
run is to train the perceptron with a “very easy” dictionary of easy examples,
and a “very hard” dictionary of hard ones. Unfortunately, the results obtained
in testing phase are not exciting applying this strategy. The main problem with
this approach is that there is a big “distance” between the dictionaries. So, many
noisy passwords are classified as hard-to-guess.
To avoid this phenomenon, we have used dictionaries whose distance is small
enough to obtain a more refined notion of “easy” and “hard” but, at the same
time, big enough to ensure that the perceptron learns these distinct notions.
The Experiments. We have trained the perceptron using all the possible combi-
nations between the strong dictionaries and the weak ones described in Section 5,
fixing the number of examples in each training.
Since this number is smaller than the number of words in the dictionaries,
the training has been randomized. More precisely, the training procedure, in each
step, randomly chooses either the hard or the easy dictionary, and then randomly
selects a word in the selected dictionary. After each training, we have tested all
the testing dictionaries. Since the training is randomized, we have repeated the
overall process 100 times, to ensure that the results obtained were consistent and
not due to a “lucky” random sequence of examples. In Table 1 of the Appendix
we report the average number of modifications of the perceptron’s parameters
(i.e., weights) occurred during the training phase before the convergence to a
stable configuration.
Results reported in Table 1 clearly states that if the distance between the
dictionaries used during the training phase is large, the process converges almost
immediately. On the other hand, if the distance between these dictionaries is
really small, the same process takes a while (and, maybe, does not converge).
For space limits, we report the results only for the experiments associated
to the training executed using strong.1 and strong.2 as strong dictionaries. In
Table 2 in the Appendix we report the expected error and the variance obtained
on each testing dictionary.
38 C. Blundo et al.
Strong Dictionaries
strong.0 strong.1 strong.2
weak 102 weak 7 weak 2
noise.0.1 699 noise.0.1 385 noise.0.1 10
noise.0.2 2113 noise.0.2 1653 noise.0.2 1286
noise.1.1 3882 noise.1.1 3637 noise.1.1 10
noise.2.2 7495 noise.2.2 6980 noise.1.2 7150
Platform. The experiments presented have been run on a 450 Mhz Pentium
III machine running a Linux kernel 2.2.10 with 256 MBytes of RAM, and a 9
GBytes SCSI hard disk. On this machine, the software has checked more that
56,000 passwords/sec. Our tests show that this approach is significantly faster
than all the previous proposed ones.
References
1. F. Bergadano, B. Crispo, and G. Ruffo, High Dictionary Compression for Proactive
Password Checking, ACM Transactions on Information and System Security, Vol.
1, No. 1, pp. 3-25, November 1998.
2. R. Beale and T. Jackson, Neural Computing: An Introduction, IOP Publish-
ing Ltd, Institute of Physics, 1990.
3. M. Bishop, Proactive Password Checking, in Proceedings of 4th Workshop on Com-
puter Security Incident Handling, 1992.
4. M. Bishop, Improving System Security via Proactive Password Checking, Comput-
ers and Security, Vol. 14, No. 3, pp. 233-249, 1995.
5. B. Bloom, Space/Time Trade-offs in Hash Coding with Allowable Errors, Commu-
nications of ACM, July 1970.
6. C. Blundo, P. D’Arco, A. De Santis, and C. Galdi, Hyppocrates: A new Proac-
tive Password Checker, Proocedings of ISC01, Springer-Verlag, LNCS, Vol. 2200,
Malaga, October 1-3, 2001.
7. C. Davies, and R. Ganesan, Bapasswd: A new proactive password checker. In Pro-
ceedings of the 16th National Conference on Computer Security (Baltimore, MD,
Sept. 20-23).
8. D. Klein, Foiling the Cracker: A Survey of, and Improvements to, Password Secu-
rity. Proceedings of the Fifth Data Communications Symposium, September 1977.
9. A. Muffett, Crack 5.0, USENET News.
10. J. B. Nagle, An obvious password detector. USENET News.
11. E. Spafford, OPUS: Preventing Weak Password Choices in Computers and Security,
No. 3, 1992.
Single Sign-On Architectures
Jan De Clercq
Security Consultant, HP
Authentication infrastructures have been around for many years now. They are very
popular in big computing environments where scalability is a key requirement. In
such environment, it’s not very cost-efficient from both an implementation and an
administration point-of-view to create a separate authentication system for every
individual computer system, resource or application server. It is much better to
outsource this functionality to an authentication “infrastructure”.
This paper focuses on the architectural approaches one can take when designing an
SSO solution for a large I.T. infrastructure and on the security technology building
blocks that can be used to construct such an SSO infrastructure. This brief does not
address the architecture of every SSO solution that is currently available on the
software market. Many of them have a relatively small scope and only span a couple
of applications, platforms or authentication methods.
Before continuing let’s make sure we all agree on the basic authentication
infrastructure terminology.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 40–58, 2002.
© Springer-Verlag Berlin Heidelberg 2002
Single Sign-On Architectures 41
terminology) – but you may as well call it a “realm” (in Kerberos terminology), or a
“cell” (in DCE terminology) - it doesn’t really matter… Anyhow, when a user logs
on successfully to the authentication authority’s domain he can transparently access
all resources in the domain, without re-authenticating to every individual resource
server.
During a typical authentication process (like the one illustrated in Figure 1) a user
submits his credentials (in the example above: a User-ID and a password) or the result
of a cryptographic operation involving his credentials to the authentication authority.
The authentication authority then validates the credentials using the data stored in its
credential database. If the credentials supplied by the user and the ones stored in the
database match or if the result of a cryptographic operation on the credentials stored
in the database equals the information supplied by the user, the user’s identity is
considered “authentic”. Consequently the user is given or denied access to the
authentication authority’s kingdom. To prove that the user has been authenticated the
authentication authority will issue a cryptographic token to the user. This token will
be used as a proof of authentication in subsequent accesses to other resources in the
authentication authority’s kingdom.
Remember that SSO is “authentication”-related, not “access control”-related. Too
many people confuse authentication and access control. “Authentication” is a security
process that assures that a user’s identity is authentic, or in other words that another
user, application or service knows who it is talking to. “Access control” is a security
process that decides what a particular user is allowed or not allowed to do with a
resource.
SSO is advantageous for both users and administrators. There’s no need to point out
that a user’s and an administrator’s life becomes much easier if they have to deal only
with a single set of credentials – one for every user. An average user will have to
provide his logon credentials only once every day and he will need to change only a
single set of credentials at regular intervals. Indirectly this will increase a user’s
productivity. The authentication infrastructure, its administrators and helpdesk
operators will only need to keep track of the changes to a single entry for every user
in the credential database. A key advantage is also that all authentication data are
centralized and can be accessed and manipulated using the same tools and procedures.
The latter may also be a weakness: if a malicious person gets to the database and can
bypass its security system, he gets access to all of the data at once.
The advantages of SSO are not only related to the ease of administration and use, it
also brings important security advantages. Centralization eases the enforcement of a
consistent authentication policy throughout the enterprise. And obviously, it’s also
much easier to secure a centralized than a distributed infrastructure. The lack of SSO
services increases the risk for compromise of an authentication service’s security. For
example, because users need to keep track of different password credentials, they may
Single Sign-On Architectures 43
start writing them down on Post It notes and stick them to the back of their keyboards.
Indirectly the absence of SSO can also affect the availability of an authentication
service. The more passwords users have to remember or keep track of, the bigger the
chances get they forget or lose them.
A good SSO solution is also platform- and/or application neutral: it can hide the
authentication implementation details on different operating system platforms from
the SSO user and can provide support to “outsource” the application-level
authentication logic to a centralized SSO authentication authority.
An often heard argument against SSO is that SSO credentials are the “key to the
kingdom”. If one can obtain the SSO credentials he gets access to all resources
secured by them. This risk may be reduced when choosing SSO credentials that are
not knowledge-based (a classical example of knowledge-based credentials are
passwords) but rather biometric- (for example using fingerprints) or possession-based
(for example using cryptographic tokens or smart cards). The use of multi-factor
authentication solutions for SSO will further reduce this risk.
Over the past years operating system vendors like Novell and Microsoft have proven
that SSO can easily be implemented in homogeneous LAN and intranet environments
where all machines are running the same operating system and trusting the same
authentication authority. Extranet Access Management System (EAMS) software
vendors like Netegrity, RSA (Securant), Baltimore, Entrust and many others… have
proven the same thing for homogenous web portal environments. Finally, remote
access authentication-infrastructures using RADIUS, TACACS or TACACS+ showed
that setting up SSO is relatively straightforward in environments using a centralized
authority that communicates with a set of authentication proxies using a single well-
defined authentication protocol. A non-exhaustive list of software products supporting
simple SSO is given in table 1.
44 J. De Clercq
Things get much more complex if the SSO scope is extended to cover different
platforms and different organizations, which are using different authentication
credentials and protocols and are governed by many different authorities. Usually this
also means that the infrastructure has to deal with multiple credentials per user.
Having a single authentication authority doesn’t necessarily mean that only one
authentication server and a single credential database are available. For scalability and
performance reasons a single authentication authority may consist of multiple
authentication servers and a set of replicated credentials databases. Figure 2 illustrates
SSO in an environment with a single Authentication Authority and multiple
Single Sign-On Architectures 45
To ease the explanation of the different SSO architectures used in complex SSO
setups, let’s first look at how authentication works in an environment with multiple
authentication authorities but without SSO support (as illustrated in Figure 3).
In the setup illustrated in Figure 3 the domain the user uses most often is called the
user’s primary authentication domain. Domains that users use less often are called
secondary authentication domains. Since in the example, no SSO is available between
the primary and the secondary authentication domains, when a user wishes to access
resources in the secondary domains, he has to authenticate to the TTPs of those
domains using his credentials as defined in that particular secondary authentication
domain. Every secondary authentication domain also has its proper credential
database. No need to explain that this setup creates an enormous credential-
safeguarding burden for the end users. Note that in this setup the user uses different
authentication tokens, one per authentication authority.
46 J. De Clercq
In a token-based SSO architecture users get a temporary software token when they
have been successfully authenticated to the TTP (as illustrated in Figure 4). This
token can be cached on the user’s machine and can be reused to prove the user’s
identity to other secondary authentication domain TTPs. To validate the user token
the TTPs use cryptographic methods that are based on secret keys that are set up
between the secondary authentication domain TTPs and the primary authentication
domain TTP. This cryptographic key material represents a trust relationship between
primary and secondary authentication domains.
Contrary to the tokens we will discuss in other SSO architectures, the tokens used in
token-based SSO systems are valid for more than a single authentication authority.
Agreed that in some token-based setups users do have more than a single token, but in
that case the authentication protocols support the automatic and transparent exchange
of the token of one authentication authority for a token issued by another
authentication authority.
In the Kerberos case users authenticate to a central authentication service, called the
Kerberos Key Distribution Center (KDC) (the authentication TTP). If their
authentication credentials are valid they receive a ticket (the software token). This
ticket enables the user to request other tickets from the KDC in order to access other
resources in the primary and secondary authentication domains. The tickets prove to
the resource servers that the user has been authenticated before by a trusted
authentication service – the Kerberos KDC.
The Kerberos authentication protocol has inspired the developers of the authentication
services for the Open Software Foundation’s (OSF) Distributed Computing
Environment (DCE). Microsoft has implemented Kerberos as the default
Single Sign-On Architectures 47
authentication protocol of Windows 2000. CyberSafe sells plug-ins that can be used
to enable an operating system platform to generate, understand and validate Kerberos
credentials (this process is also known as “Kerberizing”).
The Kerberos token-based SSO typically uses Remote Procedure Calls (RPCs) to
transport authentication tickets. In HTTP-based environments token-based SSO can
be provided using HTTP cookies. The latter mechanism is used by many Extranet
Access Management Systems (EAMS) like Netegrity’s SiteMinder or Oblix’s
Netpoint when dealing with multiple authentication authorities. Microsoft currently
uses a similar cookie-based token system to extend the SSO functionality of its
Passport web authentication solution across different web sites. In the future
Microsoft wants to use a combination of the Kerberos protocol and a cookie-based
token system to enable Passport SSO to span many different authentication
authorities.
Token-based SSO software comes out-of-the-box with many of today’s most popular
operating system platforms (Windows 2000, Netware…). Table 2 below gives some
examples of software products providing token-based SSO support.
Contrary to token-based SSO systems, PKI-based SSO systems are a relatively new
technology. Early implementers of the technology experienced lots of interoperability
Single Sign-On Architectures 49
problems. The latter were mainly related to immature PKI standards. Over the last
two years the security software industry and standardization organizations like the
IETF have made important efforts to make the PKI-based SSO systems enterprise-
ready. Another early adopter problem was that few applications were PKI-enabled.
Although the latter problem hasn’t been fully resolved, most application software
vendors have modified their application to let them understand PKI-based credentials.
Table 3 below gives some popular examples of PKI software solutions.
Contrary to token-based SSO, these three SSO architectures can provide single sign-
on in a more heterogeneous environment. Besides different credential types, they can
also support different account formats and multiple authentication protocols.
Because in this setup, the user is still prompted to enter his credentials by every single
authentication authority, these systems are not considered true SSO systems. Many
security experts consider it a very dangerous practice to synchronize credentials
between the databases of different authentication authorities. Their objections are
based on the “key to the kingdom” argument mentioned above. Table 4 below gives
some examples of credential synchronization software products.
50 J. De Clercq
In the early days of secure client-side credential caching, it was combined with client-
side scripting to automate the SSO process. No need to explain that this created a lot
of administrative overhead. Nowadays credential caching is combined with more
intelligent and adaptive client-side software that can automatically retrieve and
provide the correct credentials to the destination server. Table 5 below gives some
examples of secure client-side cache-based SSO software products.
Single Sign-On Architectures 51
In the context of this SSO architecture “secure storage” of the cached credentials is
absolutely vital. This is certainly the case if the cached credentials are used to give
access to business-critical applications or data. In the latter case it is not
recommended to use this SSO architecture on portable client devices (like laptops or
PDAs) or on operating system platforms that have a bad security reputation.
SSO based on a secure client-side cache can be implemented without the use of an
authentication “infrastructure”. In this case the primary credentials unlocking the
cache would be local credentials – “local” meaning: defined in the local machine’s
security database and only valid for accessing local machine resources. In the context
of an authentication infrastructure the user’s primary credentials are generally not
local credentials but domain credentials.
server-side credential caching SSO architecture are not necessarily the same for every
authentication authority.
In a secure server-side credential caching SSO setup a user always first logs on to the
primary authentication authority using his primary credentials and a predefined
authentication protocol. If logon to the primary authentication authority is successful,
the user-side SSO software usually provides the user with a list of available
applications. When accessing an application that requires a logon to a secondary
authentication authority the user-side SSO software will first communicate with the
primary authentication authority to retrieve the appropriate user credentials. These are
then forwarded to the user in a secure way. Finally, the user-side SSO software will
use the secondary domain credentials to transparently log the user on to the secondary
domains.
Since in this architecture the secondary authentication authorities trust the primary
authentication authority to store a copy of their credentials in the primary credential
database, a trust relationship is required between every secondary and the primary
authentication authority.
Server-side caching generally provides better security because the credentials are not
stored on the client’s hard disk (also remember the security concerns brought up for
Single Sign-On Architectures 53
Examples of secure server-side credential caching SSO systems are IBM’s Tivoli
Secureway Global Sign-On, Computer Associates eTrust and Vasco’s SnareWorks
Secure SSO (as listed in table 6). SecureWay Global Sign-On’s primary
authentication method for example is a DCE token-based. After the initial
authentication, the SecureWay Client-side Global Sign-On software retrieves the
correct credentials from the primary credential database and provides them
transparently to the correct secondary authentication authority.
organizations and transaction requests initiated by business partners. The demand for
SSO scope extension is very high in the world of Internet portals. SSO clearly
benefits the Internet experience of any portal user from an ease-of-use point-of-view.
There are two approaches when dealing with SSOs spanning different organizations.
In the first approach an organization deals with the credential information and
authentication of users in other organizations locally by using its proper credential
database and authentication authority. In the second approach organizations agree to
set up a federation agreement between their authentication authorities. In the latter
case users will always authenticate to their proper organization’s authentication
authority.
When dealing with authentication locally an organization can define a set of local
credentials or decide to synchronize credential databases. In the first case an
organization simply provides every external entity with a set of new credentials that is
kept in the organization’s authentication database. Some organizations may even
agree to delegate the administration of these credentials to an external administrator.
A major disadvantage of this setup is that a user will end up with multiple credentials.
In other words: there’s no more SSO. In the second case an organization decides to
synchronize account information between an external organization’s directory and its
proper directory. Even though in this scenario users may end up with a set of
credentials that is identical between different organizations, users will still be
prompted to enter their credentials by every other authentication authority.
A real SSO solution would accept the external entities’ “foreign” credentials to
authenticate to the organization’s authentication authority and would not require a
user to re-enter his credentials. These are the goals that are driving distributed
authentication or “federation”-based authentication infrastructures.
PKIs use the concept of CA hierarchies, cross-certification, bridge CAs or any other
CA-to-CA interoperability solution to set up federations. Kerberos-based
infrastructures support federations through cross-realm trust relationships. Below are
some examples of commercial authentication infrastructure products and how they
support “trust” or “federation”:
56 J. De Clercq
• Novell NDS eDirectory (version 8.5 and later) uses the concept of NDS tree
federations.
• Microsoft Windows NT and 2000 domains uses inter-domain trust relationships.
In Windows 2000 these trust relationships are built on Kerberos cross-realm
authentication.
• Microsoft Passport uses the concept of Passport federation. In the future Passport
federation will use Kerberos cross-realm authentication.
An interesting new language that will help with the creation of federations in the
future is the Security Assertion Markup Language (SAML). SAML is a new standard
that uses XML to encode authentication and authorization information. Because its
basis is XML, SAML is platform-independent. SAML is also authentication method-
neutral: for example, it could be used to set up federations between PKI- and
Kerberos-based authentication infrastructures. The development of SAML is driven
by OASIS (the Organization for the Advancement of Structured Information
Standards). OASIS is a nonprofit, international consortium that creates interoperable
industry specifications based on public standards such as XML and SGML. More
information on SAML is available from
http://www.oasis-open.org/committees/security/.
The table below compares Kerberos-, PKI- and SAML- based authentication
infrastructure federation.
The table below lists a set of well-known authentication APIs. APIs like GSSAPI,
JAAS and CDSA provide vendor-neutral API’s – and also provide more than just
authentication APIs. SSPI, PAM, NMAS and XUDA are not vendor neutral and only
provide authentication services.
Jan De Clercq is a security consultant in HP's Technology Leadership Group (TLG), focusing
on security for Microsoft platforms. Jan has written several Compaq white papers, Windows
2000 magazine articles and columns for the Duke Press Security Administrator monthly
newsletter. He's co-author of the book Mission-Critical Active Directory (Digital Press). He has
been a speaker at Microsoft conferences, DECUS conferences, the RSA conference, the EMA
conference and the Compaq Technology Symposium. Jan has been involved in several
Windows, security and PKI-related projects for large Compaq accounts. Over the last year he
has been a trusted advisor on security topics for several large Windows 2000 designs and
deployments, and large PKI designs. He holds a masters degree in Criminology (RUG-Gent)
and I.T. (VUB-Brussels), and a special degree in Telecommunications (ULB-Brussels). Jan is
based in Belgium.
Active Digital Credentials: Dynamic Provision of
Up-to-Date Identity Information
Hewlett-Packard Laboratories,
Trust, Security and Privacy
BS34 8QZ, Bristol, UK
{marco_casassa-mont, richard_brown}@hp.com
http://www.hpl.hp.com/
1 Introduction
E-commerce transactions on the Internet will become more and more relevant over the
next few years: the current exponential growth of e-commerce sites on the Internet,
new B2B initiatives and the rise of web services to underpin enterprise and govern-
ment activities are going to provide new opportunities for doing business on the Inter-
net to a larger and larger population of customers and users.
Because of the accompanying increase in the number of business interactions where
there is a lack of prior knowledge about the participants, the task of establishing, man-
aging and ensuring trust on the Internet [1] is going to be a major issue.
In this context, the problem of dealing with up-to-date identity and profile informa-
tion is crucial. Personal information, profiles and rights can change quite frequently,
sometimes as a direct consequence of business transactions. Each transaction, for
example, can have an immediate impact on users’ credit limits and their associated
credit rating information.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 59–72, 2002.
© Springer-Verlag Berlin Heidelberg 2002
60 M. Casassa Mont and R. Brown
This problem is also important in the e-commerce space. Today people buy and sell
goods and services on the Internet by interacting with a multitude of e-commerce sites.
Consumers traditionally need to create and manage multiple accounts, one for each
web site they want to interact with. This is an issue because of the need of remember-
ing multiple logins and passwords, the need of supplying many times the same profile
information and keeping it up-to-date.
Recent initiatives, including Microsoft .MyServices [2] and Liberty Alliance Proj-
ect [3], aim at the provision of infrastructure and mechanisms to ease the pain of man-
aging profile information across multiple Internet accounts.
Both initiatives support single-sign-on across multiple service providers by using an
underlying network of identity providers. Identity providers are in charge of storing
profiles and identity information and providing authentication services.
Identity providers should be accountable for the services they provide and perform
due diligence tasks to assess the authenticity and trustworthiness of identity and profile
information they supply to relying parties. Moreover identity providers should ensure
that this information is accurate and up-to-date.
In this paper we address the problem of keeping certified identity and profile in-
formation up-to-date without the burden of heavy management processes. We intro-
duce and discuss the concept of active digital credentials, based on a novel mechanism
to provide up-to-date certified identity and profile information along with an assess-
ment of their current level of trustworthiness and validity.
lems for specific realms and contexts by improving their overall usability and chang-
ing the dynamics of trust assessment. In addition, trust services [10] are emerging as a
viable solution to underpin trust in e-commerce and e-business areas: the management
of the information that forms the basis of trust is outsourced to professional and ac-
countable third parties. These third parties include notarization service providers,
recommendation service providers, credit rating service providers and trusted storage
service providers.
In all the above approaches, digital credentials are a viable mechanism to represent,
certify and convey identity and profile information along with means of verifying their
trustworthiness. Digital credentials are particularly important in contexts where there
is no prior knowledge of the involved parties and no web of trust is in place.
Traditional X.509 and SPKI digital credentials are usually valid for a predefined
period of time, ranging from a few seconds to years: their content can be used for
authentication and authorization purposes. They must be revoked whenever their con-
tent is out-of-date or it has been compromised.
Unfortunately the revocation process is a burden both for relying parties and for
credential issuers. Relying parties need to check credentials against certificate revoca-
tion lists (CRLs) to verify their validity or delegate this activity to third parties. Cre-
dential issuers must deal with the complexity of the overall credential lifecycle man-
agement and they are accountable for maintaining up-to-date CRLs.
The limitation of X.509 digital credentials is evident in contexts where the certified
information is dynamic: in such contexts credentials (such as attribute certificates) are
short-lived and they must be revoked whenever their content changes. This causes the
proliferation of digital credentials with consequent implications in term of verification
of their validity, correctness of their content, management of their disposal and pre-
vention of their misuse.
X.509 and SPKI digital credentials are either valid or not valid: there is no middle
ground even if the degree of trust a certification authority has in their content may
vary over time or if there is a wish to vary their content. For example, in traditional
X.509 certificates any variation of their attributes implies that the whole certificate
must be revoked. Important attributes including credit limits and rating levels may
change very often, depending on the occurrence of business transactions and owner’s
reputation.
To deal with dynamic information, e-commerce service providers currently use
back channel communications with trusted information. Emerging mark-up languages,
like SAML [11], are used to underpin the exchange of information by means of secure
assertions. The disadvantage of this approach is that it requires the set-up of ad-hoc
point-to-point communication channels and the exchanged assertions are meaningful
in these very specific contexts.
This paper focuses on mechanisms to enable the provision of trustworthy and up-to-
date information in dynamic contexts. The objective is to create a coherent and sus-
tainable way to certify dynamic identity and profile information and reduce the burden
of their lifecycle management. We introduce a new approach based on the extension
of the current model of digital credentials. This approach is meant to satisfy the fol-
lowing requirements:
62 M. Casassa Mont and R. Brown
3 Proposed Approach
This section introduces and describes the concept and principles underpinning active
digital credentials. Active digital credentials are a mechanism to extend traditional
static credentials (based on identity and attribute certificates) by providing means for
dynamically updating their content along with an assessment of their trustworthiness.
Exposure Issuance
Trusted
Information
Providers
In contrast with traditional digital certificates – which have static content and a prede-
fined period of validity – active credentials provide certified mechanisms to dynami-
cally retrieve, calculate and update their content and state their current level of trust-
worthiness and validity. This includes dynamic evaluations of:
formation coming from heterogeneous sources, calculate the aggregated value of at-
tributes, their validity and trustworthiness.
Credential issuers certify the trustworthiness of these mechanisms. They need to
understand the functions underpinning these mechanisms and verify their correctness,
before embedding them in an active digital credential. They might directly implement
these functions after agreements with the information providers. The relying party
uses active digital credentials to obtain up-to-date information and evaluate their
trustworthiness and validity. This contrasts with traditional approaches, in which the
credential issuers only certify the validity and trustworthiness of data.
A local interpretation of active digital credentials (at the relying party site) ensures
that specific security and privacy requirements are fulfilled and that the interactions
between the involved parties happen in a predefined and controlled way.
The basic model of an active digital credential is showed in Figure 2:
Attribute 1
E
Value Function 1 X
Trustworthiness T
Payload Function 2
E
…..
Function 3 R
…..
Attribute Properties N
….. ….. A
Attribute n L
Function j
Value
S
Trustworthiness Function k O
Attribute Properties
U
R
Global Trust Attribute Function x
Trust Info &
C
Validity Attribute
Signature ….. Function y E
Signature S
3.2 Scenarios
Figure 3 shows a scenario where active digital credentials are exchanged between a
credential issuer, a credential owner and a relying party.
Credential
Credential Issuance
Digital Credential
Active Credentials
Owner Credential
Issuer
Lifecycle
1 management
Credential Trust
Disclosure 2 Relationships
Trust Relationships
Credential
Content
Fetching
Relying Active Information
Credential Providers
Party 3
Users either directly supply their identity and profile information to the certification
authority or point to trusted information providers, which must be contacted to collect
this information. Active credential issuers might also play the role of trusted informa-
tion providers.
A certification authority (credential issuer) issues an active digital credential to a
user after a due diligence process involving the verification of user’s information
(Figure 3 – step 1).
66 M. Casassa Mont and R. Brown
Credential
Digital Credential
Credential Active Issuance
Credentials Issuer
Owner Credentials
1 Lifecycle
management
Trust
2 Relationships
Identity
Active Trust
Providers Credentials 3 Relationships
4
Trust
Relationships
Relying Information
Party Providers
The parties and relationships in this scenario are conceptually similar to those in
scenarios painted by Microsoft MyServices and Liberty Alliance initiatives. We ana-
lyze the interactions between the involved parties from the perspective of providing
certified and up-to-date information.
People still own active digital credentials, issued by certification authorities (Figure
4 – step 1). These credentials might be directly exposed to trusted identity providers,
that act as proxies on behalf of the owners (Figure 4 – step 2).
The fact that active credentials have been assessed and certified and their content is
up-to-date increases the overall perception of trust and accountability.
Third party information providers may still retain profiles and information about
the credential owners. They can disclose (part of) this information to identity providers
Active Digital Credentials: Dynamic Provision of Up-to-Date Identity Information 67
under terms and conditions defined by the owners, through active digital credentials
(Figure 4 – step 3).
Identity providers are enabled to supply identity and profile information to service
providers according to credential owners’ policies, through the evaluation of active
digital credentials (Figure 4 – step 4). They retrieve up-to-date certified information,
evaluate its current level of trustworthiness and supply it to the relying parties.
In particular circumstances identity providers might also play the role of credential
issuers.
3.3 Infrastructure
Because of the nature of active digital credentials, the entities that evaluate these cre-
dentials (evaluators, e.g. relying parties, identity providers, etc.) need to use an appro-
priate infrastructure. This section describes high-level aspects of an infrastructure for
the interpretation and execution of active credentials.
Figure 5 shows the basic components of this infrastructure:
Applications &
Services
API
Credential Interpreter
Context
Validation &
Verification Authorization Log
Local
System
Communication Mechanisms
the functions embedded in the credential, during their execution. This could be re-
quested to enable the interaction with remote information providers and fulfill con-
straints dictated by the credential owner.
3. Validation and verification component: it is the component that provides policies
and processes necessary to deal with the validation and verification of active digital
credentials [16]. It contains a list of trusted (identity) certificates of third parties,
including those owned by trusted certification authorities. The credential interpreter
uses this component to make decisions about the integrity, validity and trustworthi-
ness of active credentials including the trustworthiness of the issuers and their
digital signatures. The functionalities of this component can also be used by the
functions embedded in active digital credentials, to verify digitally signed or en-
crypted information supplied by information providers.
4. Authorization component: it is the component that provides authorization and ac-
cess control policies and an enforcement engine [16]. The credential interpreter
uses this component to make decisions about the information that can be disclosed
to third parties and which access can be granted to local resources, while interpret-
ing active credentials.
5. Communication component: it is the component providing basic communication
mechanisms to interact with external systems and services (via common Internet
protocols, including HTTP, SSL, etc.). It is in charge of establishing secure con-
nections with remote parties.
6. APIs: it is a set of high-level APIs to the infrastructure that allow external applica-
tions and services to manipulate active credentials in a way that is transparent to the
underlying mechanisms.
7. Logging system: It is the component that logs all the activities and events that hap-
pen during the evaluation of active credentials. Logged data can be used for audit-
ing purposes and as evidence in case of disputes. This component is fundamental
for storing and providing access to non-repudiable data, such as signed information
supplied by information providers to active credential functions.
The evaluator can take into account this information along with its opinion of the
trustworthiness of the credential issuer, in order to make an informed decision.
Depending on the specification of the active digital credential, the information re-
trieved by the embedded functions can be digitally signed by the information provid-
ers, for non-repudiation purposes. This information might also be encrypted with the
evaluator’s public key along with nonces to avoid reply attacks.
The certification authority could associate to each attribute (within an active digital
credential) a list of the providers’ identity certificates from which up-to-date informa-
tion is collected. This gives extra information to the evaluator to verify the correctness
of the sources of up-to-date information. The infrastructure also provides mechanisms
to allow the active credential functions to access contextual information and verifica-
tion functionalities.
The above infrastructure can be deployed in multiple contexts, ranging from
browser plug-ins to back-end middleware processes.
4 Discussion
Relevant prior work in this area is described by patent [15]. It introduces the concept
of static references to external information within a credential. Those references are
usually implemented by an identifier (label) to retrieve information stored elsewhere.
The solution described in [15] does not provide any certified mechanism to locally
elaborate the retrieved information.
Relevant work and technologies have been developed in the context of mobile code,
as a way to locally execute operations that might affect remote resources or retrieve
information from third parties. This work includes traditional Java applets and appli-
cations, Microsoft ActiveX components, etc. Applets, applications, Microsoft compo-
nents can be digitally signed by trusted certification authorities and their integrity can
be validated and verified by common web browsers.
These technologies can be used as a foundation of our work. In addition, we intro-
duce mechanisms to dynamically evaluate the content of digital credentials by defin-
ing and certifying those mechanisms (functions) within the credentials themselves, in
a fine grained way: an active digital credential is a tool for describing, certifying,
retrieving, elaborating and assessing dynamic identity and profile information.
X.509 PKI identity and attribute certificates are usually perceived as entities that
are generated once and then relied upon offline later. Part of their attractiveness relies
just on this. Actually, this is not a correct perception of the reality. For verification
purposes, relying parties still have to download certification revocation lists from on-
line sites, maintained by certification authorities. Moreover, in case of dynamic infor-
mation, traditional certificates only provide a snapshot of this information at the issu-
ance time.
Active digital credentials extend the online interaction model in order to retrieve
and provide up-to-date information. Information can be retrieved from different in-
formation providers and it can be locally correlated, according to embedded policies:
this is a feature that is not provided by common PKI certificates.
70 M. Casassa Mont and R. Brown
An active digital credential can be seen as a “contract” agreed between the creden-
tial owner, information providers and the credential issuer(s). As credential owners
can dictate the criteria for the disclosure of their data, active credentials enable them to
retain control over their data. There is no system-induced requirement for actual data
values to be disclosed to relying parties; this privacy characteristic is especially im-
portant when the credential owner has no prior trust in the relying parties.
Active digital credentials still need to go through traditional credential lifecycle
management processes. Moreover, their active functions need to be assessed and certi-
fied by the issuers (certification authorities). Issuers and information providers need to
stipulate agreements, along with trust relationships. However these trust relationships
are also required in scenarios that do not involve active credentials, in order to under-
pin trust and accountability. We believe that active digital credentials improve the
lifecycle management of digital credentials by diminishing the dependency of creden-
tials’ validities on the unchanged nature of all their contents. This is particularly true
for very dynamic environments.
On one hand, the value of attributes can be retrieved dynamically and their validity
and trustworthiness assessed on the fly. This allows active credentials to be valid and
trustworthy even if part of their attributes are not anymore. The effect is to reduce
both the number of revoked credentials and the need for short credential lifetimes, at
least in contexts where the objective is to supply identity and profile information in-
stead of authentication or authorization rights.
On the other hand, the content of active credentials depend on the availability of
external systems, services and Internet connections. When those entities are not avail-
able, active credential content cannot be retrieved. This can be an issue. Risks can be
partially mitigated by introducing default values for attribute properties and local
elaborations. It must also be said that the content of an active credential does not nec-
essarily depend on external information providers but it might depend on local elabo-
ration of information like date and time (for example in case of decaying certificates).
Active credentials need a proper infrastructure in order to be evaluated. However,
this is also true for traditional digital certificates, to deal with their validation and
verification. The advantage of the proposed active credential infrastructure is that it
provides certified and agreed mechanisms to assess the validity and trustworthiness of
active credentials and up-to-date content. This can be achieved in a safe and secure
way thanks to the mediation of the active credential infrastructure.
On one hand it is possible to enforce privacy and data protection constraints over
credentials’ content. The content of an active credential can be disclosed and made
available to a relying party only after the authentication of this relying party and the
fulfillment of criteria dictated by the credential owner.
On the other hand, functions within active digital credentials need to be carefully
built in order not to introduce vulnerabilities within the systems and services they
access at the information providers sides. Those risks can be mitigated by constraining
the kind of access and activities those functions can perform on the remote sites.
Credential issuers must be involved in building those functions, in cooperation with
the information providers.
Active Digital Credentials: Dynamic Provision of Up-to-Date Identity Information 71
5 Current Work
We are in the process of implementing a prototype that includes the basic infrastruc-
ture components to support active digital credentials, as described in our model.
We are planning to make experiments in a realistic distributed environment, in an
incremental, step-by-step way.
The first step will involve a few simulated web commerce sites, at least two iden-
tity providers and a few credential issuers and information providers. Subject to avail-
ability, we are going to adopt a standard federated identity management infrastructure,
for example the one that is currently under specification by the Liberty Alliance Proj-
ect.
The objective is to increase our understanding of integration details, obtain more
experimental data about the implications of issuing, managing and evaluating active
digital credentials and refine requirements in terms of security and privacy.
Next steps will involve experiments with a broader number of players (owners, cre-
dential authorities, relying parties and information providers) to understand the impli-
cations of operating active digital credentials at a realistic scale.
6 Conclusion
The provision of up-to-date and trustworthy identity and profile information is impor-
tant to enable e-business transactions.
Digital credentials are a viable way to certify and verify identities and profiles but
their limitations are due to their static content and the complexity of the underlying
infrastructure to manage them. When dealing with dynamic environments, current
digital credentials introduce further complexity at the management and usability level.
We introduced and discussed the concept of active digital credentials, as a way to
couple certified attributes with mechanisms to retrieve their up-to-date values. Em-
72 M. Casassa Mont and R. Brown
bedded active credential functions are used to evaluate (by retrieval and local correla-
tion) not only the current content of a credential but also its validity and trustworthi-
ness, in a fine-grained way.
We believe this approach simplifies the management of credentials in dynamic en-
vironments, by reducing the need for certification revocation practices and short-lived
certificates. We also believe that it boosts accountability and trust because of the defi-
nition of clear mechanisms for retrieving information, the assessment and certification
of these mechanisms by trusted third parties and the provision of up-to-date content,
along with a dynamic assessment of its validity and trustworthiness.
Work is in progress. We are building a prototype of our model, gather further ex-
perimental information and potentially refine our proposal in the context of a federated
identity management scenario.
References
1. Camp, L. J.: Trust and Risk in Internet Commerce .The MIT press (2000)
2. Microsoft: Microsoft .MyServices: a platform for building user-centric applications.
http://www.microsoft.com/myservices/ (2002)
3. Liberty Alliance: Project Liberty Alliance. http://www.projectliberty.org/ (2002)
4. Housley, R., Ford, W., Polk, W., Solo, D.: RFC2459: Internet X.509 Public Key Infra-
structure Certificate and CRL profile. IETF (1999)
5. Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization. IETF
(1999)
6. IETF: An Open Specification for Pretty Good Privacy (PGP).
http://www.ietf.org/html.charters/openpgp-charter.html (2001)
7. Ellison, C.: SPKI Requirements, RFC 2692. IETF (1999)
8. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI Certificate
Theory, RFC 2693. IETF (1999)
9. Boneh, D., Franklin M.: Identity-based Encryption from the Weil Pairing. Crypto 2001
(2001)
10. Baldwin, A., Beres, Y., Casassa Mont, M., Shiu, S.: Trust Services: A Trust Infrastructure
for E-Commerce. HPL-2001-198 (2001)
11. OASIS: SAML 1.0 Specification Set - http://www.oasisopen.org/ (2002)
12. Eastlake, D., Reagle, J., Solo, D.: XML-Signature Syntax and Processing, draft-ietf-
xmldsig-core-08. IETF (2000)
13. Bray, T., Paoli, J., Sperberg-McQueen, C.M.: Extensible Markup Language (XML) 1.0.
W3 Recommendation (1998)
14. W3C: Web Services Description Language (WSDL) 1.1. W3C (2001)
15. Zubeldia, P., Romney, G.: Digital Certification Systems. Patent: EP 0869637 A2 (1998)
16. Casassa Mont, M., Brown, R.: PASTELS project: Trust Management, Monitoring and
Policy-driven Authorization Framework for E-Services in an Internet based B2B environ-
ment. HPL-2001-28 (2001)
How to Buy Better Testing
Using Competition to Get the Most Security and
Robustness for Your Dollar
Stuart Schechter
Harvard University
stuart@post.harvard.edu
1 Introduction
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 73–87, 2002.
c Springer-Verlag Berlin Heidelberg 2002
74 S. Schechter
Given the opportunity, what properties would a firm build into an ideal market
for purchasing defect reports from testers?
Value The price paid for each defect found should be minimized.
If the testing budget is fixed, value is obtained by maximizing the number
of defects found. If the number of defects found is fixed, value is obtained by
minimizing the amount of money spent in finding them.
Speed Testers should find and report defects to the manufacturer as
quickly as possible.
The sooner a defect is reported, the sooner it can be fixed and the less likely
it is to cause damage before it is repaired. Given trade-offs between value and
speed , this paper will introduce solutions that place priority on value and then
show opportunities for exchanging value for speed .
Order The easier a defect is to find (or the cheaper the defect report
is to produce), the earlier it should be reported.
How to Buy Better Testing 75
The most obvious and most commonly occurring defects are both the most
easy to find and the most likely to result in damage. Defects that are difficult to
find are the least likely to occur when the system is operating and thus are the
least likely to cause damage [5]. Product quality can be improved more quickly if
the most common defects are discovered and fixed first. For any class of security
vulnerabilities that cause the same amount of damage when exploited, locating
and fixing the cheapest vulnerabilities to find will increase the cost to break of
the system faster than if harder to find vulnerabilities are given higher priority.
For example, a defect in a router that corrupts one of every thousand packets
is of more concern than a defect that corrupts one packet per billion. A software
company prevents more theft if adversaries must spend millions of dollars to
break a cryptographic algorithm than if a vulnerability remains that can be
found and exploited for a thousand dollars. That the most frequently occurring
problems are often easy to detect is one of the few natural laws that help the
system’s developer.
Before a product’s release, order is the least important of these properties.
3 Designing a Market
A number of papers have already made a great deal of headway into means
of classifying defects and vulnerabilities [6,7,8]. Rather than worry about the
different consequences of each class of defect, we start by assuming all defects are
equally hazardous. Section 5.6 describes how different defect classes are handled.
We design a market for defects in which there is one buyer, the firm charged
with improving the quality of the system, and many sellers, the testers charged
with finding and reporting defects. This one-buyer assumption may seem mis-
guided, especially if the defects are security vulnerabilities that, if left unrepaired,
would be of value to an adversary. In Section 5.7 we will see why an adversary
is not likely to buy information about a vulnerability at any price that the firm
is willing to pay, and thus need not be treated as a competing buyer.
With this in mind, the firm may set the rules of the market as follows:
Access All testers have full and equal access to the system to be
tested.
The average price of a defect report cannot fall below the average cost of
finding a defect, otherwise no rational tester will search for defects. To maximize
value and speed it is in the firm’s best interest to minimize the testers’ costs by
giving them full and complete access to the system.
Pricing A tester reporting a unique and verifiable defect at time
t, complete with test case, will receive a reward r(t). A
tester reporting a non-unique defect (one that was reported
earlier) receives nothing.
The firm chooses any reward function r(t) such that it increases continuously
with time, starting with the lower bound on the cost of finding and reporting a
76 S. Schechter
defect and ending with CTB, the cost to break of the system that represents the
firm’s maximum willingness to pay for a defect.
This rule frees the firm from any need to understand the testers’ costs in order
to set prices and maximize value. Rather, the firm will rely upon competition
between the testers to minimize its costs.
While not essential to this analysis, I suggest supplementing the pricing rule
to require testers to pay the transaction costs of processing defect reports (still
receiving their reward if the report is valid). This discourages reports that are
erroneous, badly detailed, or duplicates of published existing reports. Testers
are expected to integrate these costs into the price they demand for each defect
reported.
Selling A tester may search for defects at any time, and may report
a defect immediately or at any time after finding it.
While forcing immediate reporting would appear to maximize speed and im-
prove order , it would be impossible to do so. More importantly, doing so would
interfere with the testers’ ability to make a fair profit and reduce the incentive
to test. We will instead rely (yet again) on competition to achieve our goals.
Information All testers receive the other testers’ defect reports immedi-
ately after they are received by the firm.
After we’ve ensured that testers receive the maximum information available
about the system (via the Access rule), testers’ efficiency can be further improved
by ensuring that they are not wasting effort searching for known defects. The
information rule stated above is most sensible before a product’s final release,
when defects are common and there is a reasonable probability that additional
testers would discover a previously reported defect before the firm can fix it.
After product release, a firm may want to sacrifice value by delaying the release
of security defects until after they are repaired in order to ensure that users
have a chance to patch their systems before the vulnerability is made publicly
available. This will be discussed in more detail in Section 5.8.
4 Simplifying Assumptions
The market for defects has been constructed so that once the the firm has de-
clared its desired cost to break, CTB, it has no further strategic choices to make.
The strategy lies completely in the hands of the testers.
In order to analyze how the testers will behave, we first simplify the nature
and rules of the game until the analysis becomes trivial and then remove the
simplifications in order to make the game better reflect reality.
The following story summarizes our simplified game.
Ann believes that Bob and the other testers are rational and that
they will not sell the defect at a loss. Since no other tester can find the
defect for less than $500, Ann can sell the defect at any price below
$500. To maximize her profit, Ann finds the defect and reports it when
the reward reaches $499.
5 Approaching Reality
In the real world, products have multiple defects, finding a defect is a time
consuming operation requiring a large number of subtasks, and each tester’s
knowledge is far from perfect. We’ll now try to replace the above simplifying
assumptions with ones that more closely match the realities of testing.
78 S. Schechter
This market for defects would be of little value if it could only be used to find
a single flaw in the system. This assumption must be removed, which we will
represent by writing it again and crossing it out.
(1) There is one and only one defect.
In order for the market described to accommodate reports of multiple defects
we must substitute a new assumption for assumption 1.
(1a) All defects are independent. Finding one defect d in the set of all defects
D neither aids nor hinders the search for another defect d ∈ D, nor
does it indicate that a tester is more or less likely to find another defect.
With this new assumption in place, we can open markets for any number
of defects in parallel, even if we don’t know how many defects there are. It is
easiest to view these parallel markets as one single large market for defects.
There are now two defects d1 and d2 , each of which Frank is willing
to pay $1,000 to locate. Ann’s costs of finding defects d1 and d2 are
$300 and $400 respectively. Bob’s costs of finding defects d1 and d2 are
$500 and $200 respectively. Ann reports d1 for a reward of $499 and Bob
reports d2 for $399.
(4) Each tester knows the other testers’ cost of finding the defect.
It’s quite unlikely that a tester can know how hard it is for every other tester
to find a defect when she doesn’t even know what the defect is yet. We will
replace this assumption with one that is somewhat less far fetched. This will
allow us to make progress in the analysis before relaxing this assumption further
in Section 5.4.
(4a) Once given knowledge of a defect d, a tester with one of the two lowest
costs of finding d will know the other lowest cost tester’s cost to find d.
There are now two sets of moves for each tester. First, a tester must decide
if and at what price she will search for a defect. Then, if the tester has found
a defect, she must decide at what price she will sell it. She can calculate the
appropriate times for these actions from her matching price choices by using the
inverse function of r(t).
If Ann knows her cost of finding a defect (Assumption 3), and we define ca
to be this cost, we say that Ann will find a defect when the price covers her cost;
when r(t) ≥ ca . At this time t she can immediately sell the defect and break
even1 , or wait until just before the next lowest cost tester will find the defect
and sell it for a profit. She can do this because once she has found the defect she
1
We ignore the unlikely event that Ann’s cost is exactly the same as Bob’s, and that
they both attempt to report the defect at the same unit of time, as this becomes
increasingly unlikely as our measurement of time becomes increasingly less discrete.
How to Buy Better Testing 79
will know the next lowest cost testers’s cost of finding the defect. Though the
story changes slightly under these new assumptions, we always reach the same
end.
Ann and Bob’s costs haven’t changed, but neither player starts out
with any knowledge about the other’s costs. When the reward price
reaches $200, Bob spends $200 to find defect d2 knowing that he can sell
it immediately to break even regardless of what he discovers Ann’s cost
of finding d2 to be. After spending his $200, Bob learns everything he
needs to know about d2 , including that it would cost Ann $400 to find
d2 . Bob now knows, just as he did in the previous example, that he can
wait to report the defect until the reward is $399. Using the same logic,
Ann will find defect d1 once the reward reaches $300 and will once again
report it when the reward is $499.
After 500 hours into testing the reward for reporting a defect has
reached $500. Ann has a test that she can design and run for $5. The
test has a 1% chance of revealing an unreported defect. Running the test
has the expected value no less than 0.01 · $500 = $5.00. Ann decides to
perform the test.
More formally, we say that a tester will search for a defect when her expected
minimum reward justifies the cost of searching. The equation below represents
this by stating that the expected value of searching, which is the product of the
reward and the probability that searching yields a reward, must be greater than
or equal to the cost of searching.
r(t) · pw ≥ cw
Simplification 2a will not be further refined in this paper, and so our analysis
will continue to be predicated on the assumption that a unit of work takes no
time. There is no doubt that since even small units of work take time, a trade-off
80 S. Schechter
exists between the speed and value in testing. The choice of testing period is one
which needs to be made based on the time and budgetary constraints of firms
with knowledge of the state of the art in testing tools and technology. It is thus
outside the scope of this paper.
Frank’s system has three defects which are all closely related. Ann
can find the first of three defects for $500, and can find each of the two
remaining defects for $10 each given knowledge of the first defect. Bob
can find a defect for $2000 but given knowledge of any of the defects
can find the other two for only $5. Charles can find any defect for $600,
but isn’t aided by information about defects that have already been
discovered.
Ann finds the first defect when the reward has reached $500 and then
instantly finds the two other defects. She reports all three defects at once
when the price reaches $599, collecting $1,797.
The above example demonstrates two problems with the rules as they stand.
Since Bob has a lower cost of finding the incremental defects and Ann is the one
reporting them, the most efficient tester is not the one testing for the incremental
defects. Since the reward function increases monotonically, the firm must grossly
overpay for the incremental defects rather than paying no more than the cost of
the second lowest cost tester. By the second lowest cost rule, Ann should collect
$599 for reporting the first defect, and Bob should collect $9 for each of the
additional defects, allowing the firm to pay $617 for the three defects instead of
$1,797.
To fix this flaw I propose that the market be reset each time a single defect
is reported, with the reward price being reset down to the transaction cost of
reporting a defect ($0 in our story). If the reward is reset to $0 when Ann reports
the first defect, Bob will report the next defect when the reward price reaches
$9. The reward will once again be set to $0 and after it climbs to $9 again he
will report the third defect. While this approach sacrifices a modest amount of
speed , without it value is all but nonexistent.
The firm may want to adjust the reward function so that it grows very slowly
(or remains at $0) while an outstanding defect is being fixed. This prevents a
slew of related defects and test cases, which are trivial modifications of the first
reported defect, to be reported at high frequency causing strain on the reporting
system. Alternatively, allowing the reward to increase and a flood of related
test cases to be reported may be just what is needed to build a good internal
regression testing suite.
There is also a rather practical benefit to setting the reward back to $0 each
time a defect is reported in that it allows for more predictable budgeting. If a
dollar is added to the reward ‘pot’ every hour, and reporting a defect allows
the tester to take the money in the pot, then the rate at which defects are
reported does not affect the rate at which money flows out of the firm’s coffers.
The disadvantage is that fixing the budget removes any guarantees about the
cost to find and report a defect (cost to break) after any given testing period. A
compromise solution exists at which the firm may decide to increase the flow of
money into the pot in order to cause defects to be reported more quickly.
With the new rule for the reward function in place, Ann may now wish to
recalculate pa (T \a, D, Dr , d, t) for her unreported defects each time a defect is
reported and the reward is reset. In doing so, she may actually determine that
82 S. Schechter
she may want to take a loss if she has underestimated the other testers in her
past calculations of pa . However, the guiding equation behind Ann’s strategy
need not change as she is still working to maximize the expected reward for each
defect she has found.
What’s worse, if the tester has found multiple vulnerabilities she can max-
imize her profits by selling the adversary the one that is most likely to be dis-
covered by another tester (and thus is the least valuable.) As a result we can
conclude that adversaries buying security vulnerabilities will be faced with a
market for lemons for the duration of the testing process, and will find it in their
best interest to wait until testing is complete to make a purchase. When they
finally do purchase a vulnerability, they will have to pay at least as much as
CTB, the price offered by the firm.
Can the tester sell at a price below CTB and make up for the difference in
volume by selling to multiple buyers? In such a case, a buyer is able to engage
in arbitrage by purchasing the defect and selling it to the firm. This will result
in the defect being fixed, and any exploits of the defect becoming worthless.
What’s more, once the first buyer has purchased the exploit he would also be
able to sell the exploit to other buyers. As there would now be multiple sellers of
the same information good, the price of the good would drop to zero. For both
these reasons, a tester cannot expect to be able to sell a security defect more
than once.
In fact, the tester’s ability to resell security defect information adds an ad-
ditional barrier to the sale of security defects to adversaries at any price. Any
adversary must worry that after he has paid to learn the details of the vulner-
ability, the seller will resell that information to the firm (or other buyers). If
the transaction protects the anonymity of the seller, the tester can claim that
another tester must have discovered and reported the defect. Since the only way
to ensure the testers won’t resell is to take them out of the game, testers who
wish to avoid sleeping with the fishes will be wary of selling security defects to
anyone other than the firm.
possible, but it will more likely cause the testers to collude, sharing defects to
bleed cash from the firm. This is particularly serious if adversaries pose as testers
and learn about vulnerabilities by taking part in such collusion.
6 Applications
Testing processes that result in metric of quality, such as we’ve seen above, have
applications that expand beyond improving testing. These include improving
product security, better management of release processes, and improving the
effectiveness of incentives for both in-house developers and outside contractors.
Defect markets also can be used directly for compensating all types of test engi-
neers. Public testing does not eliminate the need for professional internal testers,
as they will be able to perform white box testing using information not available
to the public to find defects at lower cost. Internal testers are also best used early
on as the defect reports they produce are of higher quality and are thus cheaper
for the firm to verify and process. Such costs may be a significant component of
the transaction when defects are inexpensive to find.
Testing often suffers because the job is considered unrewarding. Test engi-
neers are often paid less than developers, and their positions are less esteemed,
since building systems is more highly regarded than finding problems with them.
All too often, good testers are promoted out of testing. This would be less likely
to happen if testers’ compensation more directly matched the contribution they
make to the product. Markets for defects create a meritocracy in which the best
testers are rewarded in a way that makes their jobs more desirable while inef-
fective testers are encouraged to find more suitable positions. One might even
wonder whether great testers lost to development teams will start testing sys-
tems again, in their free time, to pick up extra money.2 Some might even learn
that their true calling is to return to testing.
Testers are not the only members of the team who can be evaluated based
on the cost of finding defects in systems. It has often been difficult to provide
engineers with incentives for developing high quality work (rather than fast work)
without an objective measure of the level of defects. The cost for a tester to find
a defect when the engineer releases his work for testing provides the measure of
quality that can be integrated into the engineer’s incentives.
The cost of finding a defect may be used as a measure for determining when
systems are ready to ship, especially when other metrics, such as Mean Time
Between Failures (MTBF), are hard to measure or not applicable. Many other
metrics fail to account for extreme conditions such as extreme load or attack by
an adversary with extensive knowledge of the system, that would not otherwise
occur in the laboratory and aren’t detectable in typical real world use.
6.4 Contracts
The question of when a software development contractor has fulfilled its obliga-
tion to provide a system of a reasonable quality is one that has been the subject
of innumerable disputes. Placing a lower bound on the cost of finding a defect
in the completed system may be just the metric needed to allow parties to reach
agreement on quality before work begins. A wise client will pay more to ensure
2
Developers should not be allowed to collect rewards for testing their own systems as
doing so compromises their incentive to create as few defects as possible.
86 S. Schechter
that the testing budget comes out of the contractor’s pocket, thus ensuring that
the contractor will have the maximum incentive to provide initial quality. The
client should also insist that the testing itself be open to third parties that cannot
be influenced by the contractor.
7 Future Work
There are many ripe areas of research to explore as the ideas I have outlined
are put into practice. A starting point is to relax the assumption that work
spent searching takes no time (part of Assumption 3a). One approach would
be to quantify the trade-offs between the value and speed of testing, perhaps
as a function of the number of available testers and size of the system to be
tested. Much can also be gained by formalizing rules for determining whether
a defect report is indeed valid, and to explore the role played by third parties.
More light needs to be shed on how testers behave given their limited knowledge
of the abilities of others. This may arise through empirical study, or by adding
additional assumptions so that a Bayesian-Nash Equilibrium analysis may be
performed.
8 Conclusion
The security and robustness of systems has traditionally suffered because testers
are not properly rewarded. I have described an economic approach to rewarding
testers that aligns their goals with those of the firm developing the system. This
approach allows firms to cost-effectively test systems for individual flaws and
simultaneously measure the quality of the overall system.
Using testing based on defect markets as described in this paper, subsystems
can be built with measurable security and can be used to construct more complex
systems which can then also then be measured.
Acknowledgements. This paper could not have been completed without the
advice, comments, and suggestions from Adam Brandenburger, L. Jean Camp,
David Molnar, David Parkes, Michael D. Smith, and Omri Traub.
This research was supported in part by grants from Compaq, HP, IBM, Intel,
and Microsoft.
References
1. Akerlof, G.A.: The market for ‘lemons’: Quality uncertainty and the market mech-
anism. The Quarterly Journal of Economics 84 (1970) 488–500
2. Anderson, R.: Why information security is hard, an economic perspective. In: 17th
Annual Computer Security Applications Conference. (2001)
3. Schechter, S.E.: Quantitatively differentiating system security. In: The First Work-
shop on Economics and Information Security. (2002)
How to Buy Better Testing 87
Consult Hyperion, 8 Frederick Sanger Road, Surrey Research Park, Guildford, Surrey,
GU2 7EB, United Kingdom
{neil,andrew}@chyp.com
1 Background
Information security is progressively becoming headline news, particularly as ordi-
nary people start to rely on electronic means to carry out routine transactions such as
making payments from a bank account or filing a tax return. Barely a week goes by
without scares about the latest virus, or a report of an embarrassing lapse by a large
organisation, hitting the front page and radio and television new bulletins. In the week
this paper was drafted, the biggest noise was about the UK Inland Revenue suspend-
ing their online self-assessment service following reports that users had seen snippets
of information relating to other taxpayers [1].
All of this understandably has the tendency to leave the lay user confused or,
worse, frightened. What is more surprising is that so many large organisations leave
themselves wide open to appear in tomorrow’s headlines. That is not to say that
th
money and effort is not being spent. For example, in the wake of September 11 ,
many airports and airlines are deploying biometric technology to screen travellers –
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 88–103, 2002.
© Springer-Verlag Berlin Heidelberg 2002
Structured Risk Analysis 89
despite informed academic comment that many systems are incapable of delivering
the claimed benefits.
A number of organisational cultures can lead to irrational stances towards infor-
mation security. The most negligent would be the assumption that “it could never to
happen to us”. A more prevalent response to the issue is to appoint a person or team
to be responsible for information security, but without the breadth of experience, or
the ‘clout’ to identify and solve the most serious security issues and to successfully
deploy and promote the solutions. For example, a team with a strong software back-
ground may understand the security flaws with the server operating systems and data-
base management systems, but may under- or over-estimate the impact such flaws
might have on the business. Conversely, a business person charged with the same re-
sponsibility may have an acute awareness of potential damage to the organisation,
without understanding how a hacker might be able to penetrate the systems to realise
his worst fears.
The successful management of information security risks has many components.
Policies must be developed and applied that define who can have what kind of access
to which information and infrastructure components. Procedures must define the con-
trols around such access. Technical means must be deployed to enforce policies and
procedures. Active monitoring must detect serious or systematic attempts to circum-
vent the policies and procedures.
None of the above should be defined in a vacuum. Otherwise, (for example) overly
bureaucratic procedures might be defined to protect access to equipment which is not
critical to maintaining information security; or sensitive traffic on a wireless network
may be available, un-encrypted, on the street outside the building. The key to taking
optimal decisions in all these areas is to understand the risks to which the organisation
is exposed by doing nothing, and the degree to which these could be mitigated by the
deployment of particular countermeasures.
Of course, recognition of the value of risk analysis in this area is not new, and
methods to conduct such analyses have been proposed. However, uptake of these
methods has been slow, leading to ad hoc analyses, where they take place at all. We
find that most methods for risk analyses have one or more of the following deficien-
cies:
• They are not rooted in the wider disciplines of information analysis and system de-
velopment, which leads to doubt about the completeness of any analysis.
• They do not provide a means whereby information security risks can be compared
with other business risks (or indeed business opportunities), which would allow
business people to take rational decisions about the application of funds.
• They fail to distinguish clearly between threats to the business and the vulnerabili-
ties of systems, leading to a muddled analysis
• They are either too superficial (nothing which is not obvious is revealed) or too
detailed (can’t see the wood for the trees)
• They are ‘static’ in terms of the foreseen vulnerabilities or countermeasures,
whereas in reality information security is a fast-moving discipline
• They are inflexible or prescriptive
• They are proprietary, or rely on specific software packages.
90 N. McEvoy and A. Whitcombe
3.1 Overview
Figure 1 below outlines the basic steps undertaken in order to carry out a successful
Structured Risk Analysis.
SRA builds on existing Systems Analysis methods and best practice to ensure that the
service and systems under consideration are represented clearly, in a way which is
understandable to stakeholders and hopefully in a manner that is consistent with the
rest of the organisation. This enables the results of the SRA to be viewed in an over-
all business context, allowing security decisions to be taken as part of a complete
picture of organisational structure, spend and development. These representations, or
service and system ‘models’ are then used to identify the threats and vulnerabilities
that exist within the system.
Structured Risk Analysis 91
0RGHO 0RGHO
6HUYLFH 6\VWHP
$VVHVV $VVHVV
7KUHDWV 9XOQHUDELOLWLHV
$VVHVV
5LVNV
,GHQWLI\
&RXQWHUPHDVXUHV
All the threats and vulnerabilities identified are then cross-referenced to ascertain
whether it is possible that a particular threat might be realised by a particular vulner-
ability. If this is possible, then we have discovered a real risk.
A number of factors are considered in order to help identify the extent to which
such risks expose the organisation to damage, leading to the selection of appropriate
countermeasures.
for a large information system, the number of such entities is usually limited to 20 or
so.
The ‘Model System’ process is used to understand the physical architecture of the
system within which this information is stored and manipulated. It must identify proc-
essing elements, networking elements and storage elements. Normally, such models
will be generated during the ‘system architecture’ phase of system development proc-
ess. The depth, or level of detail, of such a model is of course variable. In our experi-
ence, it is best to work (at least initially) at a high level, as long as the model is com-
plete at that level. In this way, the later stages of analysis will remain tractable and the
‘big picture’ will emerge. If necessary, particular features of the big picture can be
examined in greater detail later.
Sometimes obtaining the service and system models is straightforward, as the logi-
cal and physical architectures have been laid down as part of the overall design of the
system, and have been well adhered to during implementation. However this is not
always the case, and the key challenge at the start of any SRA is often producing
models that bridge the gap between the system an organisation thinks it has, and what
is actually in place.
As a final step before undertaking specific security analysis it is useful to construct
a cross-reference between the two models. This will identify for each data entity (or,
at a more detailed level, for each attribute), which physical system elements are re-
sponsible for its capture, processing, transmission and storage.
Threats are things that might damage the business or organisation providing the serv-
ice. This damage might be indirect, in the sense that most immediate loss might be in-
flicted on (say) a customer or employee. Threats are, in themselves, nothing to do
with the technology which provides the system. A threat might be ‘the reputation of
the business may be damaged by revealing sensitive customer information’. On the
other hand, ‘an attacker outside the building might eavesdrop on 802.11b wireless
traffic’ is definitely not a threat in SRA’s taxonomy. (As we shall see, it is a good ex-
ample of a ‘vulnerability’.)
It follows that threats are derived from the Service Model. This is done by exam-
ining every entity in the model from the familiar ‘CIA’ angles: confidentiality, integ-
rity and availability. For each entity, it is necessary to determine the worst conse-
quences of the loss of Confidentiality, Integrity and Availability. To do this it is
necessary to examine all entities for an attribute. For example, imagine a medical da-
tabase system. For the ‘patient’ entity, the attribute ‘HIV status’ might be most sensi-
tive from the confidentiality viewpoint, whilst ‘blood group’ might be most important
from the integrity viewpoint. However, rather than carry forward the security charac-
teristics of every attribute for every entity, it is generally more convenient to carry
forward the ‘worst cases’ for each of C, I and A, at the entity level. Thus if there are
IE information entities, the number of potential threats to carry forward in the analysis
is (3 x IE).
Of course to perform this assessment, it is necessary to place the threat on some
kind of scale. The key factor here is the Damage, D, which would be inflicted on the
organisation by a single incident. Of course, this could be quantified fully and meas-
ured in pounds or some other currency. This is usually necessary in a commercial or-
Structured Risk Analysis 93
At this point in any SRA we now have depressingly long lists of threats and vulner-
abilities to consider, but how many of them actually result in real risk to the organisa-
tion?
A threat presents no risk if it can never be realised, and a vulnerability only pres-
ents a risk if it can be exploited in a way that exposes an asset to a threat. Restated, a
real risk exists if an identified threat can be realised by a vulnerability.
94 N. McEvoy and A. Whitcombe
We use the symbol ⊗ to denote a function that behaves like multiplication, to al-
low semi-quantitative approaches to be formulated. For example, if D or P is zero,
then so will E. We will see this in the worked example presented below. Clearly,
straightforward multiplication can be used when a monetary calculation is being per-
formed.
We will already have assigned a value for D; as we have seen it is a property of the
threat associated with the risk. How do we assess P? In SRA, we make the assump-
tion that the probability of an attack being carried out is proportional to the attacker’s
expectation of gain. This we define to be the Profit (Pr) he might derive from a par-
ticular attack multiplied by the probability that he is not caught (PNC).
P = Pr ⊗ PNC (2)
Pr is calculated from the attacker’s gain (G) and his costs (C). Using the same
symbolic convention as before:
Pr = G Ξ C (3)
where the symbol Ξ is used to denote an operator with similar properties to ‘minus’
(and which is ‘minus’ in the fully quantitative case). Notice that G and C are already
known: they are properties of the threat and vulnerability respectively.
Of course PNC is just the inverse of the likelihood that the attacker will be caught:
PNC = 1 Ξ L (4)
Notice that L is defined as a property of the vulnerability. We have now defined
the exposure to each risk in terms of basic properties of the threat (damage to organi-
sation and gain to the attacker) and vulnerability (cost to the attacker and his prob-
ability of being caught). When applied to every risk, we can generate an ordered list
of information security risks. When the analysis is fully quantitative, the exposure to
each risk can be compared to other types of risks run by the organisation.
3.6 Countermeasures
For the greatest risks, the organisation will wish to select countermeasures to reduce
its exposure. Countermeasures can be technical (for example, the use of encryption to
protect a communications link) or procedural (for example, the implementation of
dual controls) or physical (for example better locks on doors). A countermeasure usu-
ally acts to reduce a vulnerability: either by increasing the attacker’s cost or increas-
Structured Risk Analysis 95
ing the chance that he is caught. Given new estimates for these characteristics, the
new (reduced) exposures can be calculated. In the fully quantitative case, it can be
checked that the selected countermeasures fulfil the organisation’s standard ‘rate of
return’ criteria. Where no suitable countermeasure exists, insurance can be consid-
ered. Insurance is generally specific to a threat rather than a vulnerability; but the un-
derwriters will of course be interested to know how each threat might be realised. In
any case, we believe that presentation of a thorough SRA will help underwriters to
provide competitive premiums.
4 Worked Example
The following is a worked example of the application of SRA and is provided for il-
lustrative purposes only. In this example, a hypothetical service whereby an organi-
sation offers its customers up-to-the-minute company share price and business news
via satellite broadcast.
No information service serves any other purpose than to make information which is
both accurate and timely, available to legitimate users only. If the information is not
accurate or timely, or is made available to people with no right to access the informa-
tion, then the system has been in some sense subverted.
Therefore, to understand the threats which apply to the service, it is essential to
have a model of exactly what information the service is designed to maintain. A Logi-
cal Data Model contains the following elements:
• Entities, usually a ‘real-world’ item, which can be distinguished from other entities
of the same type, for example ‘person’.
• Attributes, which are a property of an entity, for example ‘eye colour’ or ‘height’
• Relationships, which are links between entities.
In practice, it is the one-to-many relationships that are most important to data mod-
elling. A one-to-one relationship is trivial, and indicates that the two entities can
really be considered as one. Many-to-many relationships are complex and should be
analysed further. They can always be resolved into two one-to-many relationships via
a ‘link entity’. Figure 2 and Table 1 identify the Information Entities used in our ex-
ample, the relationships between then and their key attributes.
For the purposes of this paper an extremely simple model is used, one that assumes
that all ‘Customers’ receive the same generic service and get data relating to all listed
‘Companies’. Also it has been assumed that the ‘Price Report’ and ‘News Report’ en-
tities are so similar in terms of the types of threat they may be exposed to and how
they are physically processed, that they are considered as one data entity, ‘Company
Report’.
The Service model is used to produce a Threat Catalogue identifying each threat,
the damage its realisation would cause the organisation, and the maximum gain that
any attacker could achieve. In some cases it is important to fully quantify the damage
and gain as part of a budget allocation process. In this worked example a semi-
quantitative assessment of the impact of a realised threat is used, based on a three-
point scale of ‘High’, ‘Medium’ and ‘Low’.
96 N. McEvoy and A. Whitcombe
Customer Company
one to many
relationship
Company Report
This worked example is merely an illustration of how SRA is performed, and not a
definitive statement of risk in such a system. Indeed it may be that the reader dis-
agrees with the values allocated in this example. If this is the case, the value of such a
structured approach becomes all the more clear, as it can be seen how simple assess-
ments can be altered, and the effect rippled through the whole process to show the ul-
timate impact a small change has on the exposure of the organisation to risk.
Figure 3 shows the processing nodes, network links and data storage devices used
within our example system. Each of these physical entities is considered in turn to
produce a vulnerabilities catalogue such as that shown in Table 3. For the purposes of
this simple example, the News Wire/Price Feeds are considered to have the same vul-
nerabilities, as are the Price Server, News Server and Broadcast Engine. Also the Sat-
ellite itself and broadcast receivers are not considered within this example, however,
depending upon the implementation (e.g. is the broadcast receiver provided to the
customer as part of the service?) these may require further attention if this were a real
SRA.
StructuredRisk Analysis 97
Vulnerabilities are associated with the data links and processing nodes defined in
the physical model. In both cases, they are categorised to correspond with the three
different classes of generic threat-to confidentiality, integrity or availability.
For each vulnerability, the cost to the attacker of exploiting the vulnerability, and
his probability of being caught are estimated. As with the damage and gain parame-
ters associated with threats, these are given on a three point scale-high, medium and
low.
For cost, these have the following definitions:
HIGH - requires the resources of medium or large corporation, or organised crime
syndicate
98 N. McEvoy and A. Whitcombe
Once Threats and Vulnerabilities have been catalogued, the risk analysis finds ar-
eas where vulnerabilities of the system can be exploited to realise a business threat,
and ranks each such risk in terms of exposure.
As a precursor to this analysis, a cross-reference (e.g. Table 4) needs to be built
between the logical and physical models defined earlier. This cross-reference shows
which information entities are handled (i.e. stored, processed or transmitted) by which
system components.
For each valid combination of entity and component, risks are identified (classi-
fied, as usual, by confidentiality, integrity and availability) from the corresponding
threats and vulnerabilities. The severity of each risk is calculated as follows:
Structured Risk Analysis 99
INFORMATION
CROSS ENTITIES
REFERENCE
Company Re-
Company
Customer
port
Price Feed/ News Wire O P P
COMPONENTS
LAN P P P
Satellite Dish P P P
Uplink/ Broadcast Channel P P P
Firstly calculate the ‘profit’ to an attacker (Pr) as defined in Equation (3) previ-
ously. In a semi-quantitative analysis, such as this example, Pr can be calculated us-
ing a lookup table:
ATTACKER GAIN
ATTACKER
PROFIT
HIGH MEDIUM LOW
This amounts to subtraction of the cost from the gain to calculate the profit.
Next Assess the probability that an attack will take place (P), as defined in Equa-
tions 2 and 4.
This amounts to multiplying the attacker profit by the likelihood that he does not
get caught in committing the attack.
This then enables us to construct a Risk Catalogue, where each valid combination
of entities and components on the model cross-reference (Table 5) is assessed once
again under the three categories of Confidentiality, Integrity and Availability.
100 N. McEvoy and A. Whitcombe
ATTACKER PROFIT
ATTACK
PROBABILITY
HIGH MEDIUM LOW
PROBABILITY
Finally exposure to the risks is calculated by combining the Damage (D) (a func-
tion of the threat) with the attack probability:
In essence, the Damage is multiplied by the Probability of attack to generate the
Exposure. It is exposure that is the key to aiding Organisations in making business
decisions as to how they can make their systems economically secure. Table 6 indi-
cates the Risks that open up our example service to medium or high exposure. The
interesting point of note from this process is that the confidentiality of the data is
relatively unimportant, as the kind of customer that requires this service is unlikely to
go to the trouble of tapping it for free, as they can well afford the fees charged con-
sidering the value of the information to them. The integrity of the information pro-
vided about companies to customers is shown to be vitally important, as any actions
taken on incorrect information from this trusted source is bound to have serious re-
criminations, both in monetary terms and in terms of reputation. In addition, false in-
formation inserted by an attacker could be used to create a false market, which is
likely to lead to recriminations from financial regulatory bodies.
5 Conclusions
Before describing the SRA method we listed the requirements that such a methodol-
ogy should meet to be truly valuable as a risk assessment tool. Now let us consider
how SRA meets these requirements.
102 N. McEvoy and A. Whitcombe
DAMAGE (D)
EXPOSURE
HIGH MEDIUM LOW
PROBABILITY
• Business context. By providing the means for quantifying the exposure a particu-
lar risk opens an organisation up to, SRA enables business owners to make in-
formed decisions as to whether the benefits of security measures justify their ex-
pense.
• Technical grounding. SRA uses existing systems analysis techniques to ensure
the information service, and the physical system via which it is delivered are
completely and openly defined.
• Separation of concerns. By separately considering the logical service to identify
threats, and the physical architecture to identify vulnerabilities, SRA enables
technical and business issues to be considered clearly and separately before the
results are cross-referenced to identify where they combine to present a risk.
• Support for quantitative analysis. Depending on the information available, the
time for analysis and the complexity of the system, SRA enables empirical esti-
mations of cost in order to allow determination of an overall information security
budget and the optimal allocation of that budget.
• ‘Tuneable’ analysis. Implementing SRA need not be a massive undertaking. De-
pending on corporate size, circumstances and budget, performing such an analy-
sis, even on simple high-level models of system and service, will provide some
shape and direction to security expenditure and focus.
Structured Risk Analysis 103
• Evolution. As the foundation of the method is based upon best practice in the
field of systems analysis it is possible for SRA use the most appropriate tech-
niques to model the logical service and the physical system, as such practice
evolves and improves. Also because the method is not based on static logic (e.g.
in a proprietary software package) but relies on the real knowledge and experi-
ence of real people, this enables dynamic response to advances in IT in general
and IT security in particular.
• Maintainability. One of the benefits of performing a Structured Risk Analysis in
this way is that when services and systems change, it is possible to tweak the
models and see whether simple changes to information models, or physical ar-
chitecture, effect the exposure to risk faced by the organisation.
• Openness. SRA is based on a unique combination of open standards in the area of
systems analysis and security, requiring no payment of licence fees or purchase
of specific software.
Security controls, and the actual dangers presented by the risks these controls are
introduced to protect against, are fundamental to the economic success of an IT sys-
tem. It is common sense, therefore, to give the deployment of such security controls
the same sort of rigorous analysis and consideration as other areas of systems analysis
and design. Such a statement is hardly controversial, however, the fact remains that
quantifying risk is not easy, and is, therefore, often put aside in favour of more easily
defined and controlled economic factors, such as development cost and revenue re-
turn.
SRA provides an approach that allow the same disciplines of structure and objec-
tive observation that are well established in other areas of systems analysis and design
to be applied to security, thus placing security costs and savings on a level playing
field with other factors that can effect the ongoing success of an information service.
As indicated in the introduction of this paper, we believe the key to taking optimal
decisions in all these areas is to understand the risks to which the organisation is ex-
posed by doing nothing, and the degree to which these could be mitigated by the de-
ployment of particular countermeasures.
We believe SRA gives business owners the information they need to make truly in-
formed decisions about the security, viability and future direction of their Information
Systems.
References
1. Rogers, James, Simons, Mike.: Revenue’s security glitch a warning for e-government, Com-
puter Weekly Magazine, Thursday 6th June 2002.
2. Weaver, Philip L, Lambrou, Nicholas, Walkley, Matthew.: Practical SSADM Version 4+,
nd
Financial Times Pitman Publishing, ISBN 0-273-62675-2, 2 Edition, 1998.
3. Yourdon, Inc.: Yourdon Systems Method: Model-Driven Systems Development, Prentice
st
Hall, ASIN 013045162,: 1 edition (March 4, 1993)
4. Yourdon, Edward, Coad, Peter.: Object-Orientated Analysis, Yourdon Press, ISBN 0-13-
nd
629981-4, 2 Edition, 1991
A Model Enabling Law Compliant Privacy Protection
through the Selection and Evaluation of Appropriate
Security Controls
Hellenic Data Protection Authority, 8 Omirou St., P.C. 10564, Athens, Greece
{sefrosini,zorkadis}@dpa.gr, www.dpa.gr
1 Introduction
Emerging computer and communications technologies have radically altered the ways
in which the communication and exchange of personal data is performed. These
technologies offer many advantages, such as speed or efficiency, but there also arise
many questions related to the protection of personal information traversing the global
communications infrastructure. The transmission of vast quantities of personal data
within seconds across national frontiers and indeed across continents in combination
with the threats they are exposed to, such as traffic analysis and user profile creation
has made it necessary to consider privacy protection.
Advances in information technology and the Internet have changed the way that
companies conduct business. Over the past decade, there has been unprecedented
growth in the ability of organizations to create, collect, analyze, combine and
disseminate personal data. The telecommunication and mobile communication
industry, insurance, direct marketing and health companies are processing an ever-
increasing volume of personal data. Computers store and exchange enormous
amounts of personal information, such as medical data and financial data.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 104–114, 2002.
© Springer-Verlag Berlin Heidelberg 2002
A Model Enabling Law Compliant Privacy Protection 105
Data subjects (users, consumers, etc) expect their personal data to be protected and
their privacy to be respected by the organizations (data controllers) they conduct
business with. On the other hand, data controllers have realized that protecting
personal data and developing data subject’s trust promise to become a competitive
advantage. Thus, protecting privacy has become a new business imperative.
Privacy protection laws were enacted in many countries in the last three decades.
They have been introduced to regulate the processing of personal data and to prevent
what are considered to be privacy violations, such as unlawful storage or storage of
inaccurate personal data and abuse or unauthorized disclosure of personal data. In
addition to national data protection laws, several legal instruments related to privacy
protection have been adopted at an international level. Among the most influential are
the European Union’s Directives 95/46/EC and 97/66/EC, the Council of Europe’s
Convention of the Protection of individuals with regard to Automatic Processing of
Personal Data, and the OECD’s Guidelines Governing the Protection of Privacy and
Transborder Flows of Personal Data [3,4].
Therefore, data controllers are obliged to respond to privacy protection
requirements imposed by the above-mentioned legislation. Specifically, these laws
impose obligations to data controllers, which relate to the secure processing of
personal data through the selection of the appropriate set of security controls, so that
the desired protection of personal data is achieved.
The aim of this paper is twofold. The first objective is to propose a privacy
protection model to support data controllers in their effort to respond to the
requirements of the laws. This will be achieved through the selection of an
appropriate set of security controls that will meet both the legal privacy protection
requirements and any particular requirements of the data controllers regarding the
processing of personal data. The second objective of the paper is the evaluation and
certification of the selected security controls in order to enhance confidence that an
acceptable level of privacy protection has been achieved. If the security controls are
evaluated as meeting the privacy protection requirements imposed by the legislation
then trust is established that the data controller has implemented privacy in this
rapidly changing, information-driven economy. Thus, the proposed privacy protection
and security evaluation model aims at instilling confidence and assurance that an
appropriate set of security controls has been identified and implemented for the
protection and secure processing of personal data.
The selection and evaluation processes reflect the auditing practices followed by
the Hellenic Data Protection Authority regarding the compliance of data controllers to
Greek and European legal framework. The models proposed are concerned with
security issues from the perspective of privacy protection. They can be integrated in
the overall approach of a data controller for the formulation of a complete security
plan.
The paper is organized as follows. In the second section, the privacy protection
requirements imposed by the legal framework are analyzed. The third section is
devoted specifically to the analysis of the requirements of the security principle. In
the fourth section the security controls selection model is presented. In the fifth
section the evaluation model is briefly presented. Finally, the paper is concluded.
106 E.S. Siougle and V.C. Zorkadis
The main security obligations are outlined in the security principle. This principle
clearly defines that appropriate security measures, both technical and organizational,
should be taken by the data controller for the protection of personal data against
accidental or unauthorized destruction or accidental loss as well as against
unauthorized access, alteration or dissemination.
According to data protection laws based on the Directive 95/46/EC [3], the
obligations of the data controller regarding the secure processing of personal data are:
1. Establishment of the appropriate security standards and procedures. Without
appropriate security measures, unauthorized parties (both within and outside an
organization) may be able to access, use, copy, disclose, alter and destroy the
personal data of the data controller. Such action could create significant harm to
the individual to whom the data relates, as well as potential liability for the data
controller. Without appropriate access controls mechanisms, unauthorized
individuals may access personal data for unauthorized purposes. Without
appropriate audit trails for access to personal data, security breaches may not be
detected and remedied. Furthermore, data controllers are obliged to periodically
assess the security of their information and communication infrastructure
considering the security technology evolution. The establishment of organizational
measures is related to security management and to allocation of resources to
security, the identification of roles and responsibilities, the establishment of rules
ensuring compliance with the security procedures.
2. Selection of personnel based on their skills and ethics and the provision of
appropriate training in security issues: there is a requirement for computer security
awareness training for personnel at all levels throughout the organization. Training
should focus into making them aware of the security and privacy protection
requirements and to prevent them from making unnecessary errors and to make
them aware of their responsibilities for security. On going educational, awareness
and training programs should be put in place within the organization. A third factor
affecting personal reliability indicates the establishment of a work environment,
which meets health and safety standards.
3. Management of outsourcing contracts and the selection of a processor according to
the technical and organizational security measures governing the processing. The
security and organizational measures that should be taken by the processor
108 E.S. Siougle and V.C. Zorkadis
correspond to those implied by the security principle, and are equivalent to those
imposed to data controller. Furthermore, the processor is contractually obliged to
process personal data only on instructions of the controller and to take the required
staff-related precautions. The parts of the contract or the legal act relating to data
protection and the requirements relating to the technical and organizational
measures should be in writing or in another equivalent form.
4. Whenever personal data are transferred outside Europe, the data controller must
consider the security measures taken and the legislation concerning data protection
in the country or territory where the data are transferred.
Consequently, the selection of the appropriate set of security controls meeting the
privacy protection requirements imposed by the data protection legislation is
imperative for the protection of personal data. The appropriate security measures must
be selected and implemented so that an acceptable level of privacy is achieved.
the organization is taken into consideration in this step so that the security controls
selected are in accordance with the existing infrastructure, the procedures in operation
and the possible security-related technological solutions.
The technical control requirements of the security principle range from
authentication, integrity, access control mechanisms, confidentiality, accountability
and digital signature creation and verification to privacy-enhancing requirements such
as anonymity, pseudonymity, unlinkability and unobservability. To organizational
control requirements belong among others security and privacy protection planning
and strategy, security and privacy policy creation and maintenance and disaster
recovery and business continuity planning.
Additionally, the selection of the appropriate security controls is based on the
requirements regarding staff selection and security and privacy related training and
the possible outsourcing contracts, in case the data controller involves third entities
for the collection and processing of personal data. Finally, possible transfers of
personal data outside European Union should be considered with respect to the
security measures taken and the legislation concerning data protection in the country
or territory where the data are transferred.
The security controls selected along with the privacy protection requirements
determine the privacy protection profile corresponding to each data processing
purpose. Thus, the privacy protection profile defines a set of appropriate privacy and
security requirements and objectives. The privacy protection profiles should guide the
eventual product selection and evaluation. The model steps are repeated so that a
privacy protection profile is determined for all the processing purposes of the data
controller.
Finally, the last step refers to a periodical monitoring of the security publications
and vulnerability analysis and generally of technological solutions and advances that
should be considered so that privacy protection profiles and implementations are
adjusted properly.
The following example will contribute to the clarification of the model. The data
processing purposes of a hospital may include, among others, the provision of health
services, the administration of personnel and the notification of infectious diseases to
the authorities responsible for monitoring such diseases. Each of these purposes has
certain privacy protection requirements regarding the secure processing of personal
data, which dictate the adoption of different security controls. To the personal data for
the purpose of administration less strict security controls may be applied in
comparison to the personal data for the purpose of providing health services.
Furthermore, to the personal data of the third purpose the control of anonymity should
be applied when transmitted to the authorities monitoring infection diseases.
Therefore, the data processing purposes have different privacy and security
requirements even if some of them are processing the same personal data. Thus, the
privacy protection profile corresponding to a processing purpose is determined based
on the privacy protection principles of the legislation and the privacy requirements
both of the business and the specific data processing purpose.
A Model Enabling Law Compliant Privacy Protection 111
In order to gain confidence that the data controller has achieved the desired level of
privacy protection, an evaluation of the security controls selected and implemented
should be performed based on some security standard [5, 6]. The Common Criteria
(CC) standard provides a flexible evaluation framework that can deal with security
and privacy protection requirements. It provides a common set of requirements for the
112 E.S. Siougle and V.C. Zorkadis
security functions of products and systems and for assurance measures applied to
them during a security evaluation. The evaluation process establishes a level of
confidence that the security functions of products and systems and the assurance
measures applied to them meet these requirements.
Thus, the evaluation of the selected and implemented security controls will take
place against the CC standard in order to ensure that an appropriate set of security
controls is identified, that the selected controls are indeed adequate to satisfy an
acceptable level of security and privacy protection and that these controls are properly
installed and operated. The evaluation of the privacy protection requirements will be
based on the privacy protection principles discussed on the previous sections.
Our proposed privacy and security evaluation model is depicted in Figure 2. It is
based on a two-stage evaluation process. The privacy protection profile is examined
against both the privacy protection requirements and the selected security controls.
The model steps are repeated for each data purpose of processing.
In the first step of the model the privacy protection level of each data processing
purpose is examined as complying with the legal provisions of the privacy protection
principles. The principles of purpose specification, lawfulness and fairness,
minimality, accuracy, anonymity, individual participation and accountability are
checked with respect to the collection and processing of the personal data
corresponding to each data processing purpose.
In the next step of the model the selected and implemented security controls of the
privacy protection profile are assessed with respect to CC-based security functional
and security assurance requirements. The principle of security is checked regarding
both the technical and the organizational control requirements of each data processing
purpose.
In the final step of the evaluation process tests are carried out to ensure that the
selected technical and organizational security controls are permanently in operation
and that all operational procedures are adhered to. Furthermore, penetration tests
should be used to determine whether the security controls implemented are adequate
to protect from known vulnerabilities. [8]
The successful completion of the evaluation process ensures trust regarding the
privacy protection of the data controller and may lead to a certification. In case the
evaluation process fails, corrective actions should be taken according to the problem
determined. The security and privacy policy and the privacy protection profiles may
be revisited and the security controls selection model may be repeated.
6 Conclusion
and communication of personal data are determined in the light of the privacy
protection law principles lawfulness and fairness, minimality, accuracy,
anonymity,security, individual participation and accountability. The concrete privacy
protection requirements comprise the input to the next step of the methodology along
with a security baseline manual, the computation and communication infrastructure
and existing vulnerabilities and security solutions resulting to a detailed set of security
controls (privacy protection profile) for each processing purpose. The final step of the
model anticipates the periodical reviewing and modification of the protection profiles
according to new vulnerability analysis results and technological security solutions.
114 E.S. Siougle and V.C. Zorkadis
Furthermore, we, also, proposed a security and privacy evaluation model, which
takes as input the privacy protection profile that is the output of the final step of the
security controls selection process. This model is repeated for all the data processing
purposes of the data controller. It examines both the privacy protection requirements
of the privacy protection profile and the selected and implemented security controls.
Evaluation of the privacy protection level of personal data corresponding to the data
processing purposes is based on the privacy protection principles of the legislation.
Evaluation of the selected and implemented security controls is based on the Common
Criteria standard regarding both the security functional and assurance related
requirements. The final step of the model evaluates the selected security controls for
operation. In case the evaluation is completed successfully trust is established
concerning the level of privacy protection of the data controller, otherwise corrective
actions should be taken.
References
[1] C. Pounder, ‘Security And The New Data Protection Law’, J. Computers & Security, 17
(1998), pp. 124–128.
[2] Institute for Certification of Information Technology (ICIT), ‘Scheme for self-assessment
and certification of information security against BS 7799’, 1997.
[3] Directive 95/46/EC on the protection of individuals with regard to the processing of
personal data and on the movement of such data and 97/66/EC on the protection of
personal data in telecommunications, www.eu.int/comm/…/media/dataprot/.
[4] OECD, Guidelines Governing the Protection of Privacy and Transborder Flows of
Personal Data, Paris, 1980.
[5] Lynette Barnard and Prof. Rossuw von Solms, ‘A Formalized Approach to the Effective
Selection and Evaluation of Information Security Controls’, J. Computers & Security,
Vol. 19, No. 2, pp. 185–194, 2000.
[6] V. C. Zorkadis, E. Siougle, Ph. Mitletton, ‘Technical and Legal Reports on Evaluation of
Security and Privacy Protection’, Hellenic Data Protection Authority, 1999–2000.
[7] V. Zorkadis, E. Siougle, ‘Information Security and Privacy Audit Modeling’, Proc. of the
th
5 World Multiconference on Circuits, Systems, Communications and Computers, Crete,
July 2001
[8] A. Jones, ‘Penetration testing and system audit – Experience gained during the
investigation the investigation of systems within the UK’, J. Computers & Security, 16
(1997), pp. 595–602.
Authentication and Authorization of Mobile Clients in
Public Data Networks
HP Labs
1501 Page Mill Road, Palo Alto Ca USA
1 Introduction
Mobile access to the web is rapidly growing in popularity. You see people accessing
the web at airports, coffee shops, malls etc. Internet connections are being made
available in more and more public places. There are several reasons for the sudden
growth of wireless access to the web in public places. One of the reasons is the
standardization of the wireless local area network (WLAN) around the 802.11b. This
standard referred to as Wi-Fi operates at speeds up to 11 Mega Bits per second. As a
result of this standardization there has been an explosion of wireless devices equipped
with WLAN access cards. The cost of wireless networks is coming down and they are
easier to set up than a wired network.
By year-end 2007, 60 percent of the population in the U.S. and Europe will carry
wireless devices, according to a recent Gartner report. By 2010, the percentage will
leap to 75 percent.
Even though the public wireless networks are seeing rapid growth, they are not in the
mainstream yet. The public wireless networks are mushrooming along different lines
a) An individual deploying their own access point and making it available for public
use b) Companies trying to build their own infrastructure to provide access for fees
and c) A few other companies are trying to build a virtual network by aggregating
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 115–128, 2002.
© Springer-Verlag Berlin Heidelberg 2002
116 P. Reddy et al.
2.1 Definitions
Authentication is the act of verifying a claimed identity. It should be possible for the
receiver of a message to determine its origin and an intruder should not be able to
assume someone else’s identity.
Authentication is a technique to ensure that the stated identity of the user is
correct. As a first step, the entity interested in authenticating itself with some service
will introduce itself and declare its identity. The service provider should be able to
verify that the contacting party (sender) is the one it claims to be. The initiating party
has to present some verification to prove its identity. The initiating party on the other
hand would want to ensure the validity of the contacted party. The contacted party has
to present some identification about itself to the initiator.
Authentication and Authorization of Mobile Clients in Public Data Networks 117
First and foremost, the authentication and authorization scheme needs to work at a
practical level. From a users perspective it should be easy to use, perhaps non-
intrusive.
It needs to scale.
The solution should allow for new service providers and infrastructure providers to
join and participate in the emerging public network.
The solution should facilitate access to services minimizing redundant interactions
for authentication and provide a single-sign on regardless of the users primary
service provider.
It must support the need to access the service independent of the users physical
location.
Clients should be allowed to use multiple client devices to gain access.
From a service provider point of view, their customers should be able to access public
networks that are their own or belong to those of its partners. This implies that once
they have implemented the server side of the scheme, they would be able to
expand/participate in the public network by either deploying their own infrastructure
or by establishing SLAs with existing service providers.
In this section we will examine some of the AA schemes used in the public wireless
networks. Any AA scheme has to be evaluated within the context of its operation.
The context is defined to be the number of parties involved and the interaction needed
to authenticate and authorize a user.
The first model we will examine is where an entity has deployed a WLAN in
a public place. Any person with a mobile node entering the place has the ability to
access the network provided the user has established a relationship with the owner of
the network. For example this relationship could be in the form of registering with the
provider or giving out the credit card at the time of access. It is quite possible to
establish a relationship at the time of access by providing the proper credentials. Once
a relationship exists, the user is required to access a particular web page using their
browser. This page requires the users to authenticate themselves by entering their user
id and the associated password. Any access to the network resources is prevented
until the user has been authenticated. The authentication step needs to happen at each
location the user wants to access the network. Lets examine this model by first
breaking it into onetime steps and steps that are to be repeated each time.
Let us examine to see how well this scheme matches the criteria we have laid out.
The scheme outlined above seems to be practical and scalable from the provider’s
point of view. In this case the network and service is provided by the same entity. The
network provider can expand the network and automatically allow all its existing
users to access the expanded network. From the users point of view, they can use the
network where their provider has a deployed infrastructure. The users have the
responsibility to authenticate themselves every time they enter a physical location.
Entering user id and password information using a resource-constrained device
becomes an issue, however a different implementation of this scheme could over
come this limitation.
Authentication and Authorization of Mobile Clients in Public Data Networks 119
Table 1. shows the messages that are exchanged between the user and the network owner as
part of the authentication process.
Mobile Client Service provider
1. User access providers web 1. Providersends a authentication form
page
2. User enters user id and 2. Provider verifies the presented credentials
password against its user database and approves or
rejects
3. User is approved and is 3. Provider keeps track of usage
allowed to access the network
resources.
The user id and the password are passed in the clear or can be encrypted. If they
are passed in the clear it is very easy for sniffers to steal the credentials. Encryption
scheme would require additional software to be installed on the client device and all
authentication requests have to be handled by this software. A more serious issue with
this scheme is if another rogue provider pretends to be the provider known to the user,
they can easily steal the users credentials and any other information being accessed by
the user. This scheme does not allow the user to verify the authenticity of the
provider.
Privacy in this scheme is limited to what is agreed upon between the user and the
provider at the time of signup. The provider has the ability to keep information about
all of the services being accessed on a per-user, per physical location.
The virtual public WLAN uses a similar scheme as above. The main difference is
that network is made up of several different infrastructure providers and a coalesced
together and made to appear as a single network by the service provider. The user
signs up with the service provider and is allowed to access any of the public WLANs
deployed by the service provider partners. The major difference in this scheme from
the user perspective is the availability of the expanded network.
In terms of protecting the user credentials and the privacy this scheme suffers from
similar limitations as identified above. Even though the user has a better coverage, the
user is still required to authenticate at each new physical location.
The service provider has to deal with wide range of infrastructure owners and enter
into SLAs with each of them. The service provider cannot guarantee the performance
or the reliability of the network as each infrastructure owner may have distinct
standards.
The infrastructure provider by signing up with a service provider may be forced to
restrict the use of the infrastructure to just the clients of the service provider. They
may be limited or restricted from offering local services and charging for it as they
have no way to authenticate or bill the client directly.
120 P. Reddy et al.
Table 2. shows the three entities involved in a public network and the messages that are
exchanged between them.
Mobile Client Infrastructure Service provider
1.User connects to 1. Detects user, notifies service 1. Provider sends a
infrastructure provider. Returns the form sent by authentication form
provider to user.
2. User enters id 2. Does minimal validation and 2. Provider verifies
and password forwards it to service provider. the presented
Saves the authorization token and credentials against its
accepts the user. user database and
approves by sending
an authorization
token.
3. User is approved 3. Keeps track of users usage. 3. Receives user
is able to use the Sends usage info to service specific usage data.
service. provider.
3 Our Protocol
We use the following authentication and authorization protocol for service access at
hotspot servers. In our system, a nomadic user/client gets network services by
subscribing to an Internet Service Provider (ISP). There can be many ISPs each
running its own authentication/authorization server (AS) for user authentication and
authorization. There also exist wireless-based hotspot servers (HS), which provide
connectivity as well as local services to the nomadic user. Hotspot servers could be
deployed either by ISPs or by third parties.
Our protocol has two phases, the client authentication phase and the access setup
phase. In the client authentication phase, the client and his/her ISP (AS server)
mutually authenticate each other and derive a shared session key. In the access setup
phase, the AS server sends client authorization information to the HS server.
Additionally, the AS server chooses a service access key and sends it to the HS server
and the client in a secure way. The client can then use the service access key to access
HS server securely. Before describing the protocol, we first outline some of the
assumptions we make about the environment.
3.1 Assumptions
Here are some of the assumptions we make while describing the protocol.
d. The number of clients are much greater than the hotspot servers, which in turn are
more than authorization servers.
e. Any given nomadic client Ci has a Service Level Agreement (SLA) with one or
more ISPs (ASs).
f. A nomadic client Ci will request service access through HSk (where k is based on
Ci’s location.
g. In-order for hotspot providers to be viable they will have SLAs with ASs. When
Ci requests a service from HSk, HSk needs to ensure that it [HSk] has an SLA with
Ci’s ASj.
h. Anonymity of Ci should be maintained wherever possible. Thus HSk does not
need to know Ci’s identity. Ci’s identity is verified only by ASj.
i. There is a Discovery protocol/mechanism that enables the Ci to establish a
communication channel to HSk.
j. The User & the personal client device are viewed as one (Ci). Ci gets access to
HSk using wireless local area network interfaces like 802.11, Ci is uniquely
referred by an identifier (like the Wireless LAN card’s MAC address).
k. The Client Device can range from a Laptop to a single functionality device with
minimal UI.
l. We assume that each pair of AS and HS servers have a secure communication
channel between them. These secure communication channels can be set up using
a PKI infrastructure or other existing methods. Since AS and HS servers are
expected to online, we think this is a reasonable assumption.
Before a mobile client can access any service offered by a HS, they must be
authenticated. The pre-requisite for client authentication is that the client has
established a relationship with an AS and the HS also has an SLA in place. We
assume that the client shares a secret authentication key with each AS that he/she has
an SLA with.
There are three messages exchanged between an authentication server AS and client
Ci in this phase. All three messages are sent via a hotspot server HS. The role of HS is
simply forwarding messages between the client and the appropriate AS.
Msg 1 (Ci -> ASj): Ci_id, ASj_id, Noncei, HSk_id, Request specific data
where Noncei is a number randomly chosen by Ci and sent to ASj as a
challenge. Ci_id is how the client is identified by ASj. ASj_id and HSk_id are
identifiers of the authentication server and the hotspot server, respectively.
Upon receiving Msg 1, ASj verifies that the request is from a valid client (by looking
up its client database). If the verification fails, ASj aborts the protocol.
Msg 2 (ASj -> Ci): Ci_id, ASj_id, Noncei, Noncej, Response specific data,
MACj
where Noncej is a number randomly chosen by ASj and sent to Ci as a
challenge, and MACj is the message authentication code computed on the
whole massage using the authentication key Kij shared between Ci and ASj.
MACj serves as ASj’s response to Ci’s challenge in Msg 1.
122 P. Reddy et al.
Msg 1 Msg 1
Msg 2 Msg 2
Ci HSk ASj
Msg 3 Msg 3
Fig. 1. Shows the three messages that are exchanged between the client (Ci) and authorization
service (ASj) to establish mutual authentication. Hotspot (HSk) simply forwards the messages.
Upon receiving Msg 2, Ci verifies that MACj is correctly computed using key Kij. If
the verification fails, Ci aborts the protocol.
Msg 3 (Ci -> ASj): Ci_id, ASj_id, Noncei, Noncej, MACj, Response
specific data, MACi
where MACi is the message authentication code computed on the whole
massage using the authentication key Kij shared between Ci and ASj. MACi
serves as Ci’s response to ASj’s challenge in Msg 2. MACj is included in
this message as a way of integrating the previously exchanged data.
Upon receiving Msg 3, ASj verifies that MACi is correctly computed using key Kij. If
the verification fails, ASj aborts the protocol.
When all the verifications are successful, client Ci and authentication service ASj have
mutually authenticated each other. They can now privately compute the shared
session key Ks from the message authentication code computed on (MACi, MACj)
using the shared authentication key Kij, i.e., Ks = MAC(MACi, MACj).
After successfully authenticating client Ci, ASj obtains authorization information for
Ci and send it to HSk using the secure channel between ASj and HSk. Additionally, ASj
choose a service access key Ka and send it to both Ci and HSk so that Ci can use it for
secure service access with HSk. The following two messages are exchanged in this
phase.
Authentication and Authorization of Mobile Clients in Public Data Networks 123
Msg 5 Msg 4
Ci HSk ASj
Fig. 2. Shows the messages exchanged by the client, authorization service and hotspot in the
access setup phase.
Msg 4 (ASj -> HSk): Authorization Data, Ka, EKs[Ka], ASj_id, MACs
where EKs[Ka] denotes the encryption of Ka using Ks and MACs is the
message authentication code computed on data (EKs[Ka], ASj_id) using Ks.
This message is sent over the secure channel between ASj and HSk.
After receiving Msg 4, HSk gets the necessary authorization information and the
service access key Ka. HSk then forwards (EKs[Ka], ASj_id, MACs) to the client Ci.
After receiving Msg 5, client Ci verifies that MACs is correctly computed using key Ks
associated with the received ASj_id. When successful, client Ci decrypts EKs[Ka] using
Ks to obtain Ka. Client Ci can then use the shared service access key Ka to access HSk
securely.
3.4 Discussion
4 Implementation
We will briefly discuss the various alternatives we considered and give an overview
of our implementation
Section has 2 sub-sections: the first part discusses the implementation details of the
AA protocol & sub-section 2 is about the encryption options between client & HS.
4.2.1 AA Protocol
Our implementation currently supports authenticated access for HTTP-based access &
services. The protocol has been implemented over both Diameter (as an Diameter
application) and HTTP [13]. For the Diameter based implementation, the publicly
available implementation2 of the Diameter base protocol from Sun [8] has been used
(which also implements the Diameter protocol API specification [9]). The hotspot-AA
protocol messages are transported in the format as defined in the EAP specification
(in the NASREQ extension). The protocol was implemented over HTTP to also cater
1 The Diameter protocol, an IETF Internet Draft based on RADIUS, is defined to provide a
base protocol that can be extended in order to provide AAA services to new access
technologies. The base protocol is not stand-alone & is designed to be extended with a
Diameter application. Two Diameter applications, currently defined in the IETF drafts, of
interest are: the Mobile IP & NASREQ extensions.
2 Only binaries are made available.
Authentication and Authorization of Mobile Clients in Public Data Networks 125
to entities not supporting the Diameter release from Sun. It also enabled access to
systems across firewalls (by exploiting the presence of http proxies).
We also provide implicit authorization for local web services deployed at the
hotspots. For example, certain services should not be accessible to a certain class of
users whereas certain services should be accessible to only administrators. These
kinds of Access Control can be specified at the HS.
The first URL request triggers the hotspot-AA protocol execution after the
ClientProxy discovers that it does not possess the authorization key for accessing the
126 P. Reddy et al.
entities at the HS. The ClientProxy sends and receives the hotspot-AA protocol
messages as HTTP POST messages and responses respectively. The protocol message
exchanges happens with the Auth Handler (described in the next section) at the HS.
Auth-Handler
Access to the Auth Handler for hotspot-AAA protocol execution itself does not
require user authentication. In both the above cases, the HS and the AS gets mutually
authenticated (and a session key is generated) before the client messages are
forwarded. The HS and the AS also undergoes the shared key based authentication.
The shared key is established as a result of the SLA. (There are other alternates
possible for the HS AS authentication, using PKI, for example.) The mutual
authentication between any two principals is limited to a definite time interval after
which they have to undergo the authentication again. The Authorization key that is
distributed by the AS (Message #4 in the protocol description) is stored.
HS-Proxy
For providing Internet access to clients the HS hosts a proxy. In order to provide
access to only authenticated users, the proxy needs to have some hooks to query the
Auth Handler, etc. In other words, the proxy has to invoke the AA infrastructure for
each client request.
Every client URL request contains a signature and the client-id (refer the section on
Client side protocol handler). HS-Proxy invokes the Auth-Handler service with the
arguments - URL, signature and client-id. The Auth-Handler validates the signature
and responds back with the authorization status.
The AS has also been implemented over both Diameter and HTTP. The Diameter
based implementation is a standalone Diameter server (implementing the Diameter
base protocol) which dynamically loads the AS side of the hotspot-AA protocol
(implemented as a library). The library registers a set of callbacks to process the
Diameter messages dealing with hotspot-AAA. On receipt of a message, the Diameter
server parses the message and invokes the registered callbacks.
The HTTP based implementation is a web-service. The AS maintains two databases –
one for the clients and one for the HSs that it has SLAs with.
Data encryption is optional and is left to the client to decide whether he wants
encrypted data transfer or not. Encryption is provided only between the ClientProxy
and the HS-Proxy. The HS-Proxy decrypts the data before forwarding it to the next
network hop. Encryption/decryption algorithms use the Authorization Key (that the
AS hands over to the client and the HS) as the key. The ClientProxy and the HS-
Proxy does the encryption on only a part of the data (bodies of the HTTP messages).
Note that this encryption is over and above the encryption due to data transfer with a
secure web-site (SSL communication).
5 Summary
We have outlined several AA schemes that are in practice today and shown that none
of these adequately address the three party mutually un-trusted network model. We
propose a protocol that can be used to authenticate and authorize clients,
infrastructure and service providers that operate in an un-trusted environment. This
protocol can play a significant role in the development of public data networks that
support true roaming. The current implementation supports only HTTP, we would
like to extend the implementation to support other transport mechanisms like FTP and
RTSP. We also would like to investigate how this protocol can co-exist with mobile-
ip.
References
Paulo S. Pagliusi
Abstract. This article contains a current outline of the GSM system security,
with focus on the air interface protocol. It presents the terminology and de-
scribes the GSM security operation, including its principles and features. This
document also discusses the effectiveness of GSM authentication and the
strength of GSM encryption. It includes therefore the most significant physical
and cryptanalytic attacks on GSM security mechanisms, such as the up to date
optical fault induction and partitioning attacks. GSM security features retained
and enhanced for the 3G Security and further applications in network (Internet)
remote access are also contemplated. This article aims primarily at contributing
to a progressive research in mobile systems security and at reviewing the secu-
rity solutions implemented in this area for further applications.
1 Introduction
This article contains an up to date overview of the European GSM1 cellular phone
system security, with focus on the air interface protocol. It presents the terminology
and describes the GSM security operation, including its principles and features, such
as subscriber identity confidentiality and authentication, stream ciphering of user traf-
fic and user-related control data, and use of triplets and SIM module.
This document also discusses the effectiveness of GSM authentication and the
strength of GSM encryption. It includes therefore the most significant physical and
cryptanalytic attacks against GSM security mechanisms, for instance the new optical
fault induction and partitioning attacks, and the GSM features retained and enhanced
for the Third Generation Security (3GPP)2. Further applications in network remote
access are also contemplated. This article aims primarily at contributing to a progres-
sive research in mobile systems security and at reviewing the security solutions im-
plemented in this area for further applications in other correlated areas, such as
authentication for Internet remote access supporting ubiquitous mobility.
1 GSM was formerly acronym for Groupe Spéciale Mobile (founded 1982). Now is acronym
for Global System for Mobile Communications (http://www.gsmworld.com).
2 3GPP (3rd Generation Partnership Project) is a partnership project including: ETSI (Europe),
ARIB & TTA (Japan), TTC (Korea) and T1P1 (USA).
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 129–144, 2002.
© Springer-Verlag Berlin Heidelberg 2002
130 P.S. Pagliusi
1.1 Terminology
Mobile Station (MS): a Mobile Equipment (ME or “mobile telephone”) with its
GSM Subscriber Identity Module (SIM). Each MS has a contractual relationship
with a network, called the home network but may be allowed to roam in other vis-
ited networks when outside home network coverage area (Figure 1.).
6,0 ZLWKD,06,DQG.L
DLU
LQWHUIDFH
%6 +/5
%6&
06 3XEOLFQHWZRUNV
$X&
VKDUHV,06,DQG
06& 3'16 06& .LZLWK06
Home PLMN (HPLMN): each MS has a home PLMN with which shares an IMSI
and a Ki. The HPLMN and the visited PLMN have a bilateral agreement, under
which the visited PLMN trusts the HPLMN to pay for the services that the visited
PLMN provides to the MS. Each HPLMN maintains a Home Location Register
(HLR) and operates an Authentication Centre (AuC) to support its MS.
Home Location Register (HLR): used to record the most recent known location of
all MS belonging to a specific HPLMN.
Authentication Centre (AuC): used by a HPLMN to generate random challenges
(RAND) and to store secret key information (Ki) relating to each of its MS. The
AuC can be integrated with other network functions, e.g. with the HLR.
Air Interface: synonym for radio path. The MS ‘visits’ a PLMN by communicating
with the serving BS across an air interface and receiving an entry in the VLR.
The purpose of security for GSM system is to make the system as secure as the public
switched telephone network and to prevent phone cloning. The use of air interface as
the transmission medium allows a number of potential threats from eavesdropping. As
stated by [4], “it was soon apparent in the threat analysis that the weakest part of the
system was the radio path, as this can be easily intercepted”. In fact, there was no
attempt to provide security on the fixed network part of GSM. And it should be noted
that the GSM security was designed with three constraints in mind [13]:
Concern of grant too much security and so bringing export problems upon GSM;
GSM did not have to be resistant to “active attacks” where the attacker interferes
with the operation of the system, perhaps masquerading as a system entity; and
The trust between operators for the security operation should be minimized.
The technical features for security are only a small part of the GSM security re-
quirements; the greatest threat is from simpler attacks such as disclosure of the en-
cryption keys, insecure billing systems or even corruption. A balance is required to
ensure that these security processes meet these requirements. At the same time a
judgment must be made of the cost and effectiveness of the GSM security measures.
The principles of GSM security are, according to [6] and [13]:
Subscriber identity confidentiality;
Subscriber identity authentication;
Stream ciphering of user traffic and user-related control data; and
Use of SIM as security module.
It is also important to emphasize the GSM feature of use of triplets. The GSM princi-
ples and this special feature are described in the following sections.
132 P.S. Pagliusi
Purpose: to avoid an interceptor of the mobile traffic being able to identify which
subscriber is using a given resource on the air interface.
Description: The use of temporary identifiers provides anonymity, so that it is not
easy to identify the GSM user. This protects against the tracing of a user’s location
by listening to exchanges on the radio path. Instead of using the IMSI, a new tem-
porary mobile subscriber identity (TMSI) is allocated by the PLMN at least on
every location update and used to identify a MS on the air interface.
Operation: When a MS attempts access with a PLMN with which it is not presently
registered, the MS uses its IMSI to identify itself. The IMSI is then authenticated
by the PLMN, which results in the sharing of a cipher key (Kc). When the PLMN
switch on encryption, the VLR generates a TMSI to the MS, storing the association
of TMSI and IMSI in its database. The TMSI is then sent to the MS, encrypted
with Kc. The next time the MS attempts access in that PLMN, it uses the TMSI
previously allocated by the VLR instead of its IMSI. Then the PLMN looks up its
table of TMSI to IMSI mapping to find the MS permanent identity. After a suc-
cessful authentication and once an encrypted channel have been established, the
PLMN assigns to the MS another TMSI. It is frequently given a new TMSI to that
a MS cannot be previously identified and followed around. After a handover to a
new VLR, or a successful re-authentication with the same VLR, the PLMN always
sends a new TMSI to the MS. Then the MS stores the new TMSI and removes the
association with any previously allocated TMSI. In turn, the VLR removes the as-
sociation with the old TMSI and the IMSI from its database.
65(6
;5(6 <HV
$ 65(6 ;5(6" $XWKHQWLFDWHG
ELWV
.L 5$1' 1R
1RW$XWKHQWLFDWHG
ELWV ELWV
.F
$ ELWV
$ &LSKHUWH[W
3ODLQWH[W
poses. This protects the PLMN from illicit use. GSM authentication is a one-way
process, i.e., the visited PLMN is not authenticated.
Operation: Authentication is performed by a challenge and response mechanism.
Ki in the HPLMN is held in the AuC. A random challenge (RAND) is generated
by the AuC and issued to the MS, via PLMN. The MS encrypts RAND using Ki
and the authentication algorithm A3 implemented within the SIM, and send a
signed response (SRES) back to the PLMN. AuC performs the same process with
RAND to compute the expected response (XRES), which is sent to the PLMN. The
PLMN now can check that the MS has Ki and that the response received is correct
by comparing the value received from the HPLMN (XRES) with what it receives
from MS (SRES). Eavesdropping of the radio channel should reveal no useful in-
formation, as the next time a new RAND will be used (Figure 2).
SRES = A3Ki (RAND) (1)
XRES = SRES?
Purpose: stream cipher encryption is used in GSM system to protect sensitive in-
formation against eavesdropping on the air interface.
Description: This provides protection to the user data passing over the radio path
on physical connections or connectionless and to the sensitive information on the
signalling channel (e.g. phone numbers, TMSI) from eavesdropping on the air in-
terface. Confidentiality is achieved by the use of encryption at physical layer, the
choice being influenced by: speech coder, error propagation, delay and handover.
Operation: At the same time that XRES and SRES are calculated, RAND and Ki
are passed through algorithm A8 by both the MS (SIM) and the HPLMN (AuC) to
derive the cipher key Kc. Then Kc is delivered from the HPLMN (AuC•HLR) to
the serving PLMN (VLR•BS). Typically, algorithms A3 and A8 are combined into
one called A3/8 that is residing within the SIM and the AuC. Kc is used for en-
crypting the signalling and messages to provide privacy through the use of A5 se-
ries algorithms (Figure 2). The BS tells ME which A5 algorithm it has (if it has
one) and sends a cipher command. At the same time, the BS starts decrypting. The
ME starts encrypting and decrypting when it receives the cipher command. The BS
starts encrypting when it receives back the cipher command acknowledged. A
fresh cipher key Kc is generated for each call. When a handover occurs during a
call, the necessary information is transferred by the PLMN to the new BS, and the
encryption continues using the same Kc.
Kc = A8Ki (RAND) (2)
Ciphertext = A5Kc (Plaintext)
134 P.S. Pagliusi
Purpose: with the use of the triplets, authentication can be performed in the ‘vis-
ited’ PLMN without the network operator (BS, VLR) having knowledge of Ki.
Description: A random challenge (RAND) and the resulting expected response
(XRES) and the cipher key (Kc) produced by A3/8 form a “triplet” (224 bits).
Operation: An AuC will produce a batch of triplets for a MS, each entry with a
different RAND, all at once and pass these for distribution to the associated HLR
of the same HPLMN. When a MS attempts to make a call or a location update in
either its HPLMN or in a visited PLMN, the SIM passes its identity to the VLR.
The VLR makes a request to the subscriber’s HPLMN for a batch of triplets for the
identity claimed by the MS (i.e. SIM) and the HLR of the HPLMN responds with a
batch of (n) triplets for that claimed identity (Figure 3).
+3/01
$X& +/5
IRUHDFKVXEVFULEHU %DWFKRIWULSOHWVVWRUHG
IRUVHYHUDOVXEVFULEHUV
5$1' .L
5$1' ;5(6 .F
.F
$ 5$1' ;5(6 .F
5$1' Q ;5(6 Q .F Q
;5(6
QWULSOHWVVWRUHGIRU
5$1' L ;5(6 L .F L HDFKVXEVFULEHUWR 6HUYLQJ
EHVHQG E\GHPDQG 3/01
WRWKHVHUYLQJ9/5
The serving VLR then authenticates the SIM by sending RAND(i) of the batch of
triplets to the MS, via BS, and by comparing the value of the stored expected re-
sponse XRES(i) for that RAND(i) with the received SRES produced by the SIM. If
they match, the MS claimed identity is deemed to be authenticated and so the VLR
can pass the cipher key Kc(i) from the triplet to the serving BS. Kc(i) and the se-
cret key Kc calculated by the SIM, both with the same value, can be used respec-
tively by the BS and the MS to protect the air interface (Figure 4). When the
PLMN has run out of triplets, it should request more from the home HLR, though
the PLMN is allowed to re-use triplets if it cannot obtain more from the HPLMN.
Triplet(i)=(RAND(i) XRES(i),Kc(i)); 1 i Q (3)
Where: n=number of entries stored in a batch of triplets for a subscriber.
i=entry chosen by the serving VLR to be send to the MS via BS.
A Contemporary Foreword on GSM Security 135
06 $LU,QWHUIDFH 3/01
0( 9/5
6,0 5$1' ;5(6 .F
.L
Fig. 4. Authentication and Encryption for GSM using triplets and SIM.
to the SIM and collect the SRES returned A3/8 must be resistant to a chosen plaintext
attack (this latter requirement was shown not to be satisfied by the algorithm
COMP128, used as A3/8 by many operators).
rd
3 ) an impostor cannot derive a particular Kc from the RAND and SRES in the
same triplet or by collecting a number as RAND-SRES pairs. This means that SRES
and Kc, though derived from the same RAND and Ki, must be completely unrelated.
th
4 ) Ki was not to be shared with the serving PLMN. Even A3/8 does not need to be
known by the VLR, as this algorithm is used only where Ki is present (i.e. in the AuC
and SIM). The same occurs with A5, not used in the VLR but in the BS.
th
5 ) AuC is resistant to penetration.
th
6 ) The SIM should be tamperproof.
A5 series algorithms are contained within the BS and the ME, but not within the SIM,
as they have to be sufficiently fast and are therefore hardware. There are two defined
algorithms used in GSM known as A5/1 (only members of CEPT3) and A5/2 (export-
able). Neither A5/1 nor A5/2 has been officially published. The cipher key Kc, related
with algorithm A5, is 64 bits long but the top 10 bits are forced to 0 in SIM and AuC.
Then there are only 54 bits of effective key length. There is a new Kc in each call and
22 bit message key changes every frame (4.615 ms), giving a 5.4 hour repeat cycle.
Encryption operates at the physical layer (layer 1) in the protocol stack. Ciphering
only exists between MS (ME) and BS, as it was assumed that most other links after-
wards would be along fixed lines. The decision to put encryption at the layer 1 had
some consequences, as described below:
The maximum amount of data, both user and signalling data is encrypted;
Since ciphering takes place after error correction and deciphering takes place be-
fore error correction, than a stream cipher must be used for GSM because of the
-3
relatively high uncorrected error rate (of about 10 ) in wireless environments;
The frame counter, normally used for synchronisation at layer 1, is used with an
expanded length as an input to the key stream generator. The frame counter is 1024
times longer than the longest frame aggregation required for non-encryption pur-
poses to avoid repetition during a call and so causes encryption weakness; and
The encryption algorithm can be implemented in hardware.
As a stream cipher, A5 works on a bit by bit basis (and not on blocks, as DES and
AES). So, an error in the received ciphertext will only result in the corresponding
plaintext bit being in error, as shown in the diagram for A5 operation (Figure 5).
As a function of Kc and frame counter, a key stream generator produces a string of
pseudo-random bits. This string of bits is XORed with the plaintext to produce the
ciphertext. At the decrypting end, the same key stream is produced and XORed with
'HFU\SWLQJ (QFU\SWLQJ
ELWEORFNRINH\VWUHDP ELWEORFNRINH\VWUHDP
.F $ « %/2&.« « « %/2&.«
«GRZQOLQN «XSOLQN
FLSKHUWH[W« SODLQWH[W«
«GRZQOLQN «XSOLQN
SODLQWH[W« FLSKHUWH[W«
the ciphertext to produce the plaintext. In GSM both sides can transmit simultaneously
(it is full duplex), so within a frame, a MS or BS both transmits and receives a frame.
The first 114 bit block (BLOCK1) of the string is used to encrypt the plaintext data
being transmitted. The second 114 bit block (BLOCK2) is used to decrypt the data
received in that frame, as shown in the diagram (Figure 5). At the other end of the air
interface, the first block is used to decrypt the received ciphertext and the second
block of the same string is used to encrypt the plaintext to be transmitted.
The most significant physical and cryptanalytic attacks on GSM are given below; [9],
[10] and [13] are also good references on this subject.
The fact that the BS to BSC link is in many cases a point to point microwave link is a
clear gap in GSM security. This link can be eavesdropped upon as data is at this point
un-encrypted. At the time of GSM design, it was expected that the BS to BSC link
would be across fixed links and therefore that encryption would not be required. In
3GPP, the encryption extends as far as the Radio Network Controller (RNC), the
3GPP equivalents of the BSC - microwave links are therefore protected [13].
When a call is not in progress, it is possible for the SIM to be removed from one ME
and put in another with which it has no previous association. As the SIM-ME interface
is unprotected, it is possible for the SIM to be connected to terminal emulators instead
of “genuine” ME and consequently for messages on the SIM-ME interface to be
138 P.S. Pagliusi
tapped. However, unless the algorithms on the SIM are sub-standard, there is no ad-
vantage in compromising the SIM-ME interface in this way.
Wagner and Goldberg announced in April 1998 that they had cracked COMP128, an
algorithm taking the function of A3/8 in the SIM of many operators. COMP128 had a
weakness which would allow complete knowledge of Ki if around 160 000 chosen
RAND-SRES pairs could be collected (“chosen plaintext” attack). There are active
attacks that can be used to obtain these pairs. The quickest attack would be to steal the
user’s mobile phone, remove the SIM and connect it to a phone emulator that can be
used to send 160 000 chosen RAND to the SIM and receive the SRES. SIM tend to
have relatively slow clock speeds and it can therefore take up to 10 hours to obtain the
160 000 pairs (with faster SIM, it would take 2 and a half hours).
Another method is to use a false BS to send the RAND over the air interface. The
rate at which pairs can be collected is slower and would take a number of days; how-
ever the attacker does not need physical possession of the SIM. After these efforts, the
attacker has the Ki and can masquerade as the user and run calls on her bill, and also
determine the Kc for the user’s calls and therefore eavesdrop upon them [13].
The only attack on an algorithm that has been confirmed to be A5/1 was that by
Biryukov and Shamir [2], later improved by Wagner [3]. The technique used is known
as “time-memory trade-off”. In a pre-processing phase, a large database of algorithm
states and related key stream sequences is created. In the attack phase, the database is
searched for a match with sub-sequences of the known key stream. If a match is
found, then with high probability the database gives the correct algorithm state. It is
then simple to compute Kc and decipher the rest of the call. Shamir and Biryukov
made an attack feasible in practice, if 2 minutes of known key stream could be ob-
tained. Wagner spotted a further optimization which would allow Kc to be obtained
with only 2 seconds of known plaintext (from both uplink and downlink).
This is not trivial, because the precise sequence of bits that is encrypted must be
obtained. It is a fine piece of cryptanalytic work, but in reality it would probably not
be used, as the false BS attack represents an easier method of eavesdropping [13].
5.5 Attacks on the SIM Card: Optical Fault Induction and Partitioning Attacks
Since the SIM module is implemented on a smart card, then any discovery of a com-
mon vulnerability in smart cards immediately affects the security of the information
stored in the SIM (e.g., IMSI and Ki). Thus, it is vital to emphasize a new class of
attacks on smart cards called optical fault induction, revealed by Skorobogatov and
Anderson [12]. They discovered the flaw after Skorobogatov found that he could inter-
A Contemporary Foreword on GSM Security 139
DLULQWHUIDFH
UHTXHVWFDOOWRGHVWLQDWLRQ[ UHTXHVWFDOOWRVDPHGHVWLQDWLRQ[
ZLWKXVHU,06,706, ZLWKDWWDFNHU·V,06,706,
FDSWXUHVWDUJHW
VHQG5$1' VWDUWFDOO
HQFU\SWHG
65(6LJQRUHG
VWDUWFDOO
GDWDGHFU\SWHG
XQHQFU\SWHG DQGWDPSHUHG
*HQXLQH%6
YLVLWHGDFFHVVQHWZRUN
06 )DOVH%6HPXODWHG
3/01
DFWLQJDVD06
DLULQWHUIDFH
+LJKSRZHUVLJQDO
FDSWXUHVWDUJHW
3UHYHQWV06
FRPPXQLFDWLRQ
06 )DOVH%6
As illustrated in [4], a properly designed billing system can be used to detect fraud
patterns from normal GSM usage. Different types of fraud often produce a distinct
pattern that can be detected. Therefore what is necessary to detect are: (i) multiple
calls at the same time; (ii) large variations in revenue being paid to other parties; (iii)
large variations in the duration of calls, such as very short or long calls; (iv) changes in
client usage, indicating that a MS has been stolen or is being abused; and (v) monitor
the usage of a GSM client closely during a “probationary period”.
There are some “Fraud Engines” on the market that can provide these features,
enabling patterns in billing data to be analyzed, and give time for swift effective ac-
tion. With fraud detection capability, and security procedures in place, it is possible to
minimise the effect of fraud on a billing system.
The 3G radio access link security was built on the security of GSM. 3GPP, that devel-
oped the 3G/UMTS standards, adopts the security features from GSM that have
proved to be needed and robust and try to ensure compatibility with GSM to ease
inter-working and handover. 3G security tries to correct the problems with GSM by
addressing security weaknesses and by adding new features. The 3G security has the
following security features: mutual authentication and key agreement between MS and
network; encryption of user traffic and signalling data over the air interface; and integ-
rity protection of signalling data over the air interface. The GSM security features to
retain and enhance in 3GPP are, according to [1] and [6]: (i) maintain a smart card as a
subscriber identity module (UMTS SIM or USIM); (ii) authentication of the MS to the
network; (iii) encryption of the user traffic and the signalling data over the air inter-
face; and (iv) user identity confidentiality over the air interface.
The new security features required for 3GPP includes mandatory integrity protec-
tion for critical signalling commands (e.g. for the start encryption command), which
142 P.S. Pagliusi
provides enhanced protection against false BS attacks (section 5.6) by allowing the
MS to check the authenticity of certain signalling messages. This feature also extends
the influence of MS authentication when encryption is not applied by allowing the
PLMN to check the authenticity of certain signalling messages. Mutual authentication
and key agreement also provides enhanced protection against false BS attacks by al-
lowing the MS to authenticate the PLMN. 3G authentication provides authentication
of MS (USIM) to PLMN and PLMN to MS, establishes a cipher key (CK) and an
integrity key (IK), and assures to the MS that the keys were not used before.
In 3G systems a new sequence number (SQN), generated in the AuC, is attached to
the triplets to prevent the threat resulting from the triplets re-use (section 5.7). USIM
has a scheme to verify freshness of received SQN (the SQN attached to a triplet must
exceed the most recently received subset). A Message Authentication Code (MAC) is
also attached to show that the authentication vector (or ‘quintet’) really came from the
HPLMN and to integrity protect the SQN recently attached.
The encryption of the user traffic and the signalling data over the air interface is
performed through an algorithm called KASUMI [5] (based on the Japanese MISTY1
[7]), which had an open design process, taking a longer cipher key length (128-bit)
derived during authentication. The encryption terminates at the RNC, a 3G entity
similar to the BSC. The links BS-RNC that may be over microwave are thus ciphered
(section 5.1). KASUMI is also used for the integrity protection of commands (critical
signalling) between MS and RNC [13].
3G specifications also introduced protection of network signalling (e.g. quintets)
transmitted between and within networks, which can be used to eavesdrop upon MS
traffic or to masquerade as valid MS. Further, to prevent false messages transmitted
along the network, it is vital that the origin of such commands can be authenticated so
that only authorised parties can send them.
The use of triplets is an significant GSM feature that permits delegation of the authen-
tication function as well as cipher key distribution from the HPLMN to the serving
PLMN through a minimal trust relationship between operators. That is, the home
network does not need to reveal the information most sensitive, such as the secret key
(Ki), to any intermediate entity in the PLMN currently ‘visited’ by the MS. Another
benefit with the use of triplets is that subsequent authentications do not require addi-
tional round trips with the HPLMN and this gives a big performance advantage. This
kind of solution (enhanced in the 3GPP with the use of quintets), can be “exported” to
applications like network remote access supporting ubiquitous client mobility.
In particular, in the scenario where a user’s access device wishes to access the
Internet via different multiple access media and network interfaces (e.g. PPP, Blue-
tooth, IEEE 802.1x), leading to the use of a number of network operators, such as the
A Contemporary Foreword on GSM Security 143
recently inaugurated IETF PANA work4. In this scenario, the backend authentication
server (home AAA5 server) can make use of triplets (or 3G quintets) to delegate client
(e.g. PANA client) authentication function to any intermediate authentication agent
(e.g. PANA authentication agent) in the access network, achieving minimal trust rela-
tionship between home and access network operators as well as performance benefit.
Moreover, the same triplet (or quintet) distribution operation can include cipher
keys distribution to any network access point, such as NAS (Network Access Server),
wishing to establish an encrypted channel with a visiting access device (e.g. PANA
Client). We can imagine a feasible scenario where the interface between the client and
the NAS is wireless and the NAS must use a signalling message, such as a start en-
cryption command, to activate the encryption in the air interface. In this case, beyond
the use of triplets, the introduction of mandatory integrity protection for critical sig-
nalling protocol instructions is crucial to avoid the typical masquerading or ‘false
entity in-the-middle’ attack, as occurs in the false BS attack, of which prevention
cannot be achieved solely by mutual authentication. Thus, the mandatory integrity
protection for critical signalling messages is another solution arising from the mobile
telecommunications sphere that may be clearly adapted on security mechanisms for
the Internet remote access area.
8 Conclusions
This article reviewed the GSM cellular phone system security, with focus in the air
interface protocol. This document described the GSM security operation, the effec-
tiveness of GSM authentication and the strength of GSM encryption. The GSM secu-
rity threats and attacks were included in this paper for a better understanding of the
GSM features retained and enhanced for the Third Generation Security (3GPP).
Some simple but useful and robust security solutions implemented in GSM and en-
hanced in the 3G security, such as the use of triplets and quintets and the mandatory
integrity protection for critical signalling commands, can be “exported” and adapted
for application in other correlated areas, such as authentication for network (Internet)
remote access supporting ubiquitous mobility.
References
[1] 3GPP TS 33.102 V3.11.0, “Security Architecture”, 3rd Generation Partnership Project,
Technical Specification Group, 3G Security, Valbonne, France, 2002, http://www.
3gpp.org/ftp/Specs/2002-03/R1999/33_series/33102-3b0.zip.
[2] A. BIRYUKOV, A. SHAMIR, “Real time cryptanalysis of the alleged A5/1 on a PC”,
preliminary draft, December 1999.
4 PANA is acronym for “Protocol for carrying Authentication for Network Access”. See more
details in the PANA workgroup link: http://www.ietf.org/ html.charters/pana-charter.html.
5 AAA is acronym for Authentication, Authorization and Accounting.
144 P.S. Pagliusi
Abstract. The main contribution of this research is to present the method that
make it possible to assess the vulnerability in the information infrastructure
using simulation technology. To construct the vulnerability assessment
simulation system, we make use of the knowledge-based simulation modeling
methodology and we designed expressions to estimate the degree of
vulnerability of host. Also, we show newly defined vulnerability analysis
method that is applicable to vulnerability assessment simulation system. As
research results, the vulnerability assessment simulation system and
VDBFS(Vulnerability DataBase For Simulator) are constructed.
1 Introduction
Recently, as entire area of social activity becomes more related with the information
infrastructure, the importance of its protection against threats increases. Since most of
attacks are caused by the vulnerability in the network and system, vulnerability
assessment is a prerequisite to protect the information infrastructure. In the
vulnerability assessment area, the scanning tool and penetration test are widely used.
Scanning tools have their vulnerability database that is used to investigate whether
there exist vulnerabilities in the information infrastructure. Penetration test is
performed by human-attacker who is good at exploiting the vulnerabilities. These two
methods have their own merits, but they have several shortcomings that make it
unsuitable to assess the vulnerabilities in the information infrastructure. The
representative shortcomings that should be supplemented are as follows.
First, the two methods can cause damages or performance degradation in the
information infrastructure, because their activities are based on real networks.
Especially, when some essential services or systems in the information infrastructure
are stopped, it can be badly damaged. Second, when we make use of scanning tools or
penetration tests, it is impossible to assess the vulnerability of networks that doesn’t
exist currently. There are needs to assess the network that will be constructed in near
future and to assess the network whose design will be altered. Third, scanning tools
and penetration tests assess the vulnerability of the network just based on the current
security related state. So, it is very difficult to get the difference after security
manager applies new defensive mechanism to the network. Especially, although the
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 145–161, 2002.
© Springer-Verlag Berlin Heidelberg 2002
146 H. Kim et al.
results are different according to the manager’s experience and management period,
these two methods cannot consider these attributes.
The simulation technology is appropriate to overcome these limits. When we make
use of the simulation technology, the relation between previous and subsequent
behaviors can be defined in the model, and selection of attacks based on the result of
previous attacking is possible. Also, vulnerability assessment using simulation has no
bad effect on functionality and performance of the information infrastructure, and
makes it possible to evaluate the network that doesn't exist currently. Additionally,
since attacks are generated in various time axis, it is possible to assess vulnerabilities
at the various security level and management period.
As a result of this research, we present a vulnerability analysis method that is
appropriate to the vulnerability assessment simulation and vulnerability assessment
method using simulation technology. As a result of the vulnerability analysis,
VDBFS(Vulnerability DataBase For Simulator) that contains 126-attack, 110-
vulnerability, and 384-solution information is constructed and the knowledge-based
simulation methodology is used in the construction of the system.
2 Related Work
Fred Cohen [1] proposes a cause-effect model to simulate cyber attacks and defense
efforts. When simulation is started, the cause-effect model is applied to network
model and the process of attacks and defenses is simulated. The cause-effect model is
designed for the purpose of simulation and analysis and it is based on a set of 37
classes of threats, 94 classes of attack mechanisms, and about 140 classes of
protective mechanisms. Those are interlinked by database, which associates threats
with attacks and attacks with defenses. In this simulation, users can specify defender
strength, strategy, and the number of simulation runs. In CMU/SEI [2], attack-
modeling method is suggested for information security and survivability. In the
research, attack tree is used to represent an event that could significantly harm the
enterprise’s mission. Also, the attack patterns are defined to represent a deliberate,
malicious attack that commonly occurs in specific contexts. The attack pattern
consists of the overall goal, a list of pre-conditions, the steps for carrying out the
attack, and a list of post-conditions that are true if the attack is successful. Related
attack patterns are organized into attack profile that contains a common reference
model, a set of variants, a set of attack patterns, a glossary of defined terms and
phrases. When the attack patterns that have a set of variants is properly instantiated,
we say such patterns are applicable to the enterprise attack tree. The instantiation is to
substitute the variants for domain specific values. Bishop [3] defines a characteristic
of a vulnerability as a condition that must hold for the vulnerability to exist. Each
vulnerability can be represented by its set of characteristics, called the characteristic
set. He hypothesizes that every vulnerability has a unique, sound characteristic set of
minimal size i.e., the basic characteristic set of the vulnerability. A set of
characteristics for a set of vulnerabilities can be determined and the size of a complete
set of characteristics for a system is smaller than the set of vulnerabilities. Each
characteristic suggests a tool to analyze the system or system programs to determine if
the condition exists. This analysis can be used to eliminate vulnerabilities; Simply
look for situations in which the characteristic conditions hold, and negate them.
Vulnerability Assessment Simulation for Information Infrastructure Protection 147
Experimental Target
Frame Network Host M odel Host Model
Final state Final state
Access Access
Control Control
Model M odel
Simulation Component
Initial state Initial state
Host Model
Attacker Access
: Access
Control
M odel
Final state
VDBFS
Attack
AttackDB
DB Vulnerability
VulnerabilityDB
DB
Fig. 1 shows the overall structure of the simulation system. It consists of simulation
component and database component. The simulation component consists of
EF(Experimental Frame) which is vulnerability assessment environment and target
network model. The database component contains data, which are used at simulation
execution time. The database component is named as VDBFS(Vulnerability DataBase
For Simulator) and it consists of Attack DB and Vulnerability DB. The
ADBI(Abstracted DataBase Interface) is designed to interface simulation component
with VDBFS.
Left side of Fig. 2 shows the simulation processes - model design, model execution
and model analysis. At the model design process, the models in model base are
extracted and overall simulation model is constructed, and the data in VDBFS are
used to execute the model. During the execution process, the data related with
vulnerability assessment are gathered, and they are used at the model analysis
process. The right side of Fig. 2 shows that the whole scope of process related with
vulnerability assessment simulation. The processes in the cross shape are for end user
of simulation system and the other processes are research scope of this paper. We
have two main research topics, one is construction of VDBFS and the other is design
and implementation of models in model base. The remainder of this chapter is related
with VDBFS and model base construction. In the VDBFS construction, the cause-
effect model and vulnerability analysis method is presented. In the model base
construction, the design of each model is explained focusing on the EF.
148 H. Kim et al.
CVs and AVs: The definitions of CVs and AVs are as follows:
In the definition of CV, Icv is a set of attack input sequences. Qcv has four
essential states that are meaningful in the simulation. Normal state is a state in which
a target system is waiting for input packets. When the target system is under attack,
system’s state is Intermediate. The Warning state means that probability of
exploitation occurrence is beyond a specific level, and the system can be an abnormal
state by a simple malicious action. Consequence state is a goal state, which means the
target system is exploited by attacker. δcv is state transition function and defined as
shown in Fig. 3.
A CV is represented by logical composition of AVs. VX holds the expression. An
expression is composed of AVs and five binary logical operators. We evaluate the
expression by calling AV objects. If this expression is evaluated as TRUE, it means
that the target system that has this vulnerability is exploited by attack action sequence
and state transition to compromised state occurs in the model.
WSX is warning state vulnerability expression. Syntax of WSX is the same as VX’s.
If this expression is TRUE, state transition to warning state occurs.
Atomic Vulnerability : AV = {Iav, Qav, δav, Type, Category}
Where,
Iav = {Iav1, Iav2, …, Iavn}
Qav = Q(initial state) Q(final state)
δav : Iav Ý Q(initial state) Q(final state)
150 H. Kim et al.
AND Relation (AND) To represent vulnerability exploited if both AVs are true
In the definition of AV, Qav is a set of states. Q (initial state) is a subset of Qav
and has special states NONE and ANY. Q (final state) is a subset of Qav and has a
special state NONE. Iav is a set of attack input sequences to AV. δav is a state
transition function. Identification of states and attack inputs is relevant to future
application [3]. If goal of vulnerability analysis is to develop automated tools such as
vulnerability scanner, abstraction level should be low. Low level requires precise and
well-defined identification. If the tools are to be run with much human intervention
and analysis, abstraction level may be higher. Abstraction level of this research is
related with simulation methodology. We are modeling systems at a conceptual level
of Ye’s process control approach [6]. The conceptual level describes security-critical
states and state transitions of an entity. Attack inputs are formalized in the form of
[command parameter] like lpd [file begin with \"cf\" and execute command].
Type and Category are bases for classifying the corresponding AV. An AV is one
of three type; Fact, NonProb or Prob. A Fact AV has no input (NONE) and no state
(NONE). Therefore, a Fact AV’s δav is δav (NONE, NONE) = NONE. This type
explains the corresponding AV’s origin. NonProb and Prob type AVs explain whether
these AVs are exploited probably or deterministically. Category is Generic,
Application-Specific for specific application, System-Specific for specific OS or
H/W.
We present two examples to show how the CV and AV are defined. For each
example, we describe vulnerability and then define it as one CV, several AVs and
relation among the AVs.
Example One. libedit searches for the .editrc file in the current directory instead of
the user's home directory, which may allow local users to execute arbitrary commands
by installing a modified .editrc in another directory [7]. CVE code is CVE-2000-0595.
Vulnerable S/W is FreeBSD 4.0 and earlier. An attacker exploit this vulnerability by
executing /usr/sbin/nslookup or /usr/bin/ftp which are statically or dynamically linked
with libedit. This vulnerability is decomposed into 3 AVs. First, AV#1 represents that
libedit searches for the .editrc file in the current directory instead of the user's home
Vulnerability Assessment Simulation for Information Infrastructure Protection 151
libedit [.editrc]
ANY sG ainF ileA ccess(libedit)
In this section, The Design of the model components is explained, the model base
includes EF (Experimental Frame) Model, Host Model and Security Model.
C V C V E -1 99 9-0 70 4 : V X = A V # 4 a n d A V # 5 a n d A V # 6
N o rm al W a rn in g C o n seq u en ce
a m d [sh ellco d e]
A V #3
T y p e = F a ct
C a teg o ry = G en eric
A lia s = a v N o C h eckP a ra m eterC o n d itio n
A V #4 A V #5
T y p e = F a ct T y p e = N o n P ro b
C a teg o ry = G en eric C a teg o ry = A p p lica tio n -S p ecific
A lia s = a v E n a b led A lterR etu rn A d d ressIn S ta c k A lia s = a v R o o tS h ellC rea ted (a m d )
condition. The EF usually has two type of component: generator, which generates
input segments to the system; transducer, which observes and analyzes the system
output segments. Fig. 6 represents the EF that is used for vulnerability assessment. It
consists of Attack Simulator model, which generates attacks against the target
network and Evaluator model, which observes and analyzes the model’s reaction. The
Attack Simulator consists of Attacker model and Input Generator model. The
Evaluator Model receives generated attack information from Attacker Model and
reaction of network model through port ’solvd.
The Evaluator Model has two roles to get to the objectives of simulation. One is to
gather the data from the target network and the other is to analyze the data and to show
the security-related characteristics of the network. In the model design, we can see the
simulation-based security analysis method, its limits and the method of overcoming it.
In the analysis method description, we should categorize two types of method, because
the simulation time unit is different and there is definitely difference in cause of
exploitation. The two analysis methods are as follows.
Flooding Attack Analysis: Flooding attack is that attacker effectively disables server
by overwhelming it with connection requests or transferring of data. The achievement of
the attacker’s goal (Denial of Service) is determined by the resource of the server
and the severity of attack (number of attack input per time unit). In this circumstance,
we defined performance index that represents the host’s vulnerability against flooding
attack. The degree of flooding attack vulnerability is described as (1).
1
k
V flooding = k
TCapaSatura tion
Rk
T k
=
A − ( A k × FR k )
CapaSatura tion k
NP
∑β V k
k
flooding
V host
flooding = k =1
NP
Where ,
k
V flooding : Degree of Vulnerabil ity of K th protocol in host (1)
host
V flooding : Degree of Vulnerabil ity of Host
NP : Number of Protocol
β k : Coefficien t to Calculate the Vulnerabil ity Contributi on of K th protocol
A k : Attack Input Generation Rate (input/mse c) of K th protocol
k
TCapaSatura tion : Capacity Saturation Time (msec) of K th protocol
R k : Allotted Resource of K th protocol
FR k : Filtering Rate of Access Control List of K th protocol
k
where , 0 ≤ FR ≤ 1
n
Vsuniversal
/w = ∑ I k • e( k )
k =1
m
Vsselected
/w = ∑ I k • e( k )
k =1
n
Vsunknown
/w = Vsuniversal
/w − Vsselected
/w = ∑I k • e( k )
{
k = m +1
1 When K Vulnerability is exploited
th (2)
e(k ) 0 Otherwise
Where, n : Number of Element of Universal Vulnerability Set
m : Number of Element of Selected Vulnerability Set
Vsuniversal
/w : Degree of Universal S/W Vulnerability in a Host
Vsselected
/w : Degree of Selected S/W Vulnerability in a Host
Vsunknown
/w : Degree of Unknown S/W Vulnerability in a Host
I k : Impact of the kth Vulnerability in a Host
In the (2), the three types of vulnerability and the relation among them are
presented. In our assumption, our target system is more vulnerable than the simulation
result, since it has unknown vulnerabilities that don’t contain in VDBFS.
Vsunknown
Vsuniversal
/w = Vsselected
/w × (1 + /w
)
Vsselected
/w
n n
V unknown ∑I k • e( k ) ∑ e( k )
UnknowVulF actor (γ ) = s/w
selected
= k = m +1
m
= k = m +1
m
, where, assume all I k = 1.
V s/w
∑ I k • e( k )
k =1
∑ e( k )
k =1
The value of γ can be simplified in these three case, (3)
0 When , all value of e( k ) in unknown case is 0 or n is equal to m.
n − m
m W hen, average of e( k ) in unknown case is same as e( k ) in selected case
γ =
n−m When, all e( k ) in unknown case is 1
m
∑ e ( k )
k =1
CurrentBuf ferSize
BufferOccu pationRate = × 100 (%) (4)
TotalBuffe rSize
The Buffer Occupation Rate and threshold value are used to make decision to
transit the state from normal state to abnormal state. Vulnerability Model consists of
CV List and AV List. The AV list consists of system-AV and application-AV and CV
has vulnerability expression that is composed of AVs and logical operators.
Fig. 7 shows the timing diagram of host model. As shown in the Fig. 7, there are
critical attack inputs at t1 and t2, and the state transition occurs from normal to
warning and from warning to abnormal. In this case, the vulnerability expression is
fired by the critical attack input at t3. Also, there is flooding attack from t4 to t6,
which affects the Buffer Occupation Rate in (4), and there are state transitions from
normal to warning and from warning to abnormal. In the flooding type attack, the
amount resource of the buffer and reset timer are critical factor to decide the state
transition.
There are four types of security models that have facility that controls the access of
the external input. First type of model is user authentication model and second type of
model is network access control model, which are components of OS Security Model.
The third type of model is static and dynamic packet filter model and the fourth type
of model is application proxy model. These packet filter and proxy model are
components of Firewall Model. Fig. 8 shows the behavioral feature of this
mechanism. When an external input is insert into the model, it infer with security
rules and external input. The result of the inference is to drop or accept the input.
Vulnerability Assessment Simulation for Information Infrastructure Protection 157
(phase)
NORMAL NORMAL NORMAL
t0 t1 t2 t3 t4 t5 t6 t7 t8 t9 t10
Time
Time
Time
ì retrive
security rules
In this section, we show a simulation example to validate our simulation model. Fig. 9
shows a simulation result in SYN Flooding attack. We select two attacker-systems in
two different domains. The SYN Flooding attack C is more severe than attack B by
two times and attack B is more severe than A by two times. In our simulation model,
there are two points that access control rules can be applied to. The one is Firewall
Model that is located at the front of the network and the other is Host Security Model
that is component of Host Model. We specify four security scenarios: First, in the
scenario A, we do not use any access control rules. Second, we deploy rules that filter
the SYN packet from unreliable hosts in scenario B. Third, we deploy access rate
rules in scenario C. Fourth, we deploy both access control rules in scenario B and C in
the scenario D.
In this simulation, the inter-arrival time of attack input is taken to be exponential
random variables with a mean of each value in Table. 2. We executed 5 times using
different seed values for each simulation. The scenario B and D of Fig. 9 shows that
when SYN packets from unreliable host are filtered, about a half of the vulnerability
degree decreases. Also, when we deploy the access rate rules in scenario C and D,
there is limit in the decrease of vulnerability degree. The threshold of access rate rules
causes this limit. When the threshold value is large, there is no effect in the degree of
vulnerability at the case of SYN Flooding A and B. Also, as the defense scenario
becomes weak, the variance of the degree of vulnerability becomes larger.
Vulnerability Assessment Simulation for Information Infrastructure Protection 159
Attack Scenario
SYN Flooding A SYN Flooding B SYN Flooding C
Attacker Host IP
Exponential dist. Exponential dist. Exponential dist.
xxx.xxx.160.4 Mean = 100msec Mean = 50msec Mean = 25msec
Exponential dist. Exponential dist. Exponential dist.
yyy.yyy.150.4 Mean = 100msec Mean = 50msec Mean = 25msec
References
Ulrich Flegel
Abstract. Unix systems in many cases record personal data in log files.
We present tools that help in practice to retrofit privacy protection
into existing Unix audit systems. Our tools are based on an approach
to pseudonymizing Unix log files while balancing user requirements for
anonymity and the service provider’s requirements for accountability.
By pseudonymizing identifying data in log files the association between
the data and the real persons is hidden. Only upon good cause shown,
such as a proceeding attack scenario, the identifying data behind the
pseudonyms can be revealed. We develop a trust model as well as an ar-
chitecture that integrates seamlessly with existing Unix systems. Finally,
we provide performance measurements demonstrating that the tools are
sufficiently fast for use at large sites.
1 Introduction
In times when companies appreciate the value of personal information, customers
will increasingly appreciate the protection of their valuable personal data. Survey
after survey shows that privacy concerns with respect to the use of the internet
are on the rise [5,6,7]. A gap has been shown between what kind of identifying
data users think ought to be collected versus what kind they think actually
is collected when accessing a web site. The biggest disagreement is shown for
some of the data commonly logged by web servers such as machine name or IP
address, browser and OS [7]. Most users would rather not access a site than reveal
personal information asked by the site for registration [7]. The vast majority of
users strongly values being able to anonymously use internet services [7]. This
situation calls for privacy enhancing technologies that can be used today and
that help service providers to comply with user expectancies as well as with legal
regulations concerning personal data. Service providers that can credibly assure
their customers the protection of their personal data may gain a competitive
advantage over those that can’t. Consider as a simple example a web site where
the service provision requires no user registration and no billing. There is a
reasonable user expectancy to be able to access the site anonymously.
Furthermore, prevalent statutory regulations confine the processing1 of per-
sonal data. Considering our example web site the users would not only have
This work is currently partially funded by the German Research Council (DFG)
under grant number Bi 311/10-2.
1
Processing, in relation to personal data, covers virtually the entire data life cycle
from collection, through to erasure of the data when no longer required.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 162–179, 2002.
c Springer-Verlag Berlin Heidelberg 2002
Pseudonymizing Unix Log Files 163
reason to expect, but they would also have a right to be able to use the site
anonymously, based on the pertinent legal situation in many western countries.
Refer to [3] and [8] for a more detailed discussion of the related legal issues.
Unfortunately it is insufficient to merely legally interdict the misuse of personal
data. Once personal data has been collected its processing is hard to control
in a non-technical way, since any processing can occur on arbitrary copies of
the data. Considering the example web site it is practically futile for a user to
determine or even to prove that the organizational controls are ineffective wrt.
the protection of his personal data.
Therefore we observe an increasing demand for strong technical enforcement
of privacy principles. Multilaterally secure systems take into account and balance
conflicting security requirements of all involved parties. Accordingly a multilat-
erally secure internet service allows customers to act pseudonymously as long
as violations of the service security policy are still detectable. In return the ser-
vice provider is allowed to recover the identities of customers upon good cause
shown, which supports the hypothesis of violations of the security policy. Trans-
lated to the example web site this means that the IP addresses and potentially
other identifying data are pseudonymized when the web server logs are gener-
ated. Only if a client exploits a vulnerability of the web server its IP address
and other identifying data is recoverable.
This paper demonstrates that the approach to threshold-based identity re-
covery we designed in [4,3] is actually implementable and applicable in practice.
Specifically the contributions of this paper are the following:
users. Audit components specifically designed for compliance with the Trusted
Computer System Evaluation Criteria (TCSEC) (C2 or higher) [9,10] or the
Common Criteria (FAU GEN1.2 and FAU GEN2) [11] are required to record in-
formation identifying the originator of an event. Hence, all of these audit com-
ponents record personal data and need to be considered for pseudonymization.
In addition to the audit components of the operating system, application pro-
cesses record audit data containing personal data, such as web servers and mail
exchangers.
scope of this approach. Refer to Sect. 5 for related work. Pseudonymization can
be used to make inferences on the pseudonymized data impractical. However,
we cannot avoid inferences that take into account additional information outside
the scope of pseudonymization.
Our approach to pseudonymization balances conflicting security requirements
of at least two parties. On the one hand the users of an IT system wish to use it
anonymously to protect their privacy. On the other hand the IT system owner’s
representative responsible for the system security requires accountability in the
case of policy violations. Other interests in identifying users are not considered
here, such as direct marketing by means of user profiling.
To put the mutual security requirements for anonymity and accountability
not at risk, neither of the above mentioned parties can be allowed to control
the audit components, syslogd and the pseudonymizer. Hence we introduce a
third party denoted as the personal data protection official (PPO), who controls
above mentioned system components (see the PPO domain in Fig. 1). The PPO
is trusted by the users to protect their pseudonymity and he is trusted by the
site security officer(s) (SSO) to ensure accountability in the face of a security
incident.
In the current implementation audit components (with the help of redirectors)
feed audit records via a wrapper or via syslog into the pseudonymizer (see Fig.
1 and Sect. 3.2). The pseudonymizer substitutes predefined types of identifying
information, henceforth denoted as features, by pseudonyms. We exploit Shamir’s
threshold scheme for secret sharing to generate the pseudonyms. Owing to the
properties of the threshold scheme we use, the features behind the pseudonyms
can be recovered only under certain conditions later on (see Sect. 3.2). Thus,
attacks on the pseudonymity of the system users are anticipated and resisted
as soon as the pseudonymized audit records leave the pseudonymizer. Note that
audit records should be pseudonymized on the same physical component where
they are generated by the audit components. This may not be possible in some
situations, f.i. when consolidating audit data generated by routers or Windows
driven systems as is proposed in Sect. 2.1. In such cases additional measures must
be taken by the PPO to provide a secure channel between the audit component
and the pseudonymizer.
The pseudonymized audit data is delivered to and analyzed by the SSO to
acquire indications for policy violations (see the SSO domain in Fig. 1). In order
to support aforementioned analysis the pseudonyms of a given identifying feature
are linkable wrt. a given suspicion. Given sufficient suspicion, the pseudonyms
can be used to reveal the originally substituted features in the hope to gain
more information helping to identify the perpetrator. In our approach sufficient
suspicion is defined by a threshold on weighted occurrences of potentially attack-
related events. The recovery of a feature is possible if and only if the correspond-
ing threshold is exceeded. Thus, the SSO’s requirement for accountability is met
if the definition of sufficient suspicion is satisfied, but not otherwise, conforming
to the user requirement for pseudonymity. The recovery of identifying features
Pseudonymizing Unix Log Files 167
is done by the reidentifier, which is – unlike the pseudonymizer – fed with the
output files of syslogd (see Fig. 1).
wrapper
reidentified
log file
for that feature. The reidentifier uses Lagrange interpolation to recover the de-
cryption key from a sufficient number of shares belonging to the same feature.
Architecture: We supply tools for the PPO and for the SSO, namely
redirector, wrapper, pseudonymizer, shared, and reidentifier, combined,
respectively. The tools are portable and have been used successfully on Solaris,
OpenBSD and Linux.
According to Sect. 3.1 the audit components, redirector, wrapper,
syslogd, pseudonymizer and shared are controlled by the PPO. The audit
components are configured to generate only audit data required for sustained
service provision, such as audit data indicating proceeding attacks against the
site. The audit data is written to /dev/log (with the help of redirectors), to
UDP port 514 and to other locations usually read by syslogd, f.i. /dev/klog
for OpenBSD kernel audit data. In Fig. 1 the wrapper intercepts audit data at
/dev/log and at UDP port 5142 . Audit data that cannot be intercepted3 is re-
ceived by syslogd and sent on to the wrapper (see the dotted lines in the PPO
domain in Fig. 1). The pseudonymizer is fed with audit data by the wrapper.
This solution can be used if syslogd shall not be replaced or modified. Op-
tionally we provide a patch for syslogd such that incoming audit data is sent
directly to the pseudonymizer without involving the wrapper. For this solution
syslogd needs to be replaced by a patched version (refer to [1] for details).
The audit data contains identifying features that need to be pseudonymized.
The pseudonymizer parses each incoming audit record, determines the appro-
2
We actually use UDP port forwarding to redirect packets sent to port 514 to the
port where the wrapper listens.
3
For example OpenBSD kernel audit data written to /dev/klog cannot be inter-
cepted because the OpenBSD syslogd is hard-coded to read kernel audit data from
/dev/klog.
Pseudonymizing Unix Log Files 169
priate scenarios and asks shared for pseudonyms for the features wrt. these
scenarios. shared provides the cryptographic primitives, such as symmetric en-
cryption and secret sharing. For encryption shared uses the OpenSSL crypto
library [17] and the threshold secret sharing scheme is implemented using the
GNU Multiple Precision Arithmetic library (GMP) [18]. shared may run on
the same machine as the pseudonymizer, or it may run remotely. This allows
several distributed pseudonymizers to use a central shared with the result that
pseudonyms for a given identifying feature are linkable across the corresponding
distributed audit components. The protocol used for communication between the
pseudonymizer and shared transfers identifiable features. Since the PPO might
not control the network between the pseudonymizer and shared, the channel is
protected using the OpenSSL SSL/TLS library [19] when shared runs remotely.
The pseudonymizer replaces the identifying features with the pseudonyms de-
livered by shared. The pseudonymized audit data is then handed to syslogd
(via the wrapper). In the recommended setup syslogd sends the pseudonymized
audit records to a remote syslogd running under the control of the SSO. Note
that using the recommended setup audit data is not written into disk files before
it is pseudonymized and received in the SSO domain.
In compliance with Sect. 3.1 the syslogd receiving pseudonymized audit
records from the pseudonymizer as well as the reidentifier and combined
are controlled by the SSO. syslogd receives the pseudonymized audit records
and handles them according to the SSO’s requirements. If the SSO wishes to be
able to recover identifying features some time later, syslogd needs to be con-
figured to write those audit records to a log file (see Fig. 1). When needed, the
reidentifier is started manually or automatically on an alarm. It reads the
log file, determines which pseudonyms satisfy their scenario and asks combined
to recover the respective identifying features. combined provides cryptographic
primitives, such as symmetric decryption and Lagrange interpolation, the re-
verse operation for the threshold secret sharing scheme we use. For decryption
combined also uses the OpenSSL crypto library [17] and the Lagrange inter-
polation again is implemented using the GMP library [18]. combined may run
on the same machine as the reidentifier, or it may run remotely. The proto-
col used for communication between the reidentifier and combined transfers
identifiable features. Since identifiable features are transferred only if a scenario
is satisfied, i.e. the SSO is allowed to see the features, there is no need for a
channel providing confidentiality.4 The reidentifier replaces all recoverable
pseudonyms with the corresponding identifying features delivered by combined.
4 Performance
The pseudonymizer processes audit data as soon as it has been generated. It is
thus required, that it is able to pseudonymize audit records sufficiently fast to
avoid a bottleneck, which might impair overall system performance. In contrast,
4
If the SSO does not control the network between combined and the reidentifier a
confidential channel can be provided.
170 U. Flegel
the reidentifier is sparely used and needs not to satisfy real-time require-
ments.
The performance measurements were conducted on a single processor Pen-
tium III 650MHz machine with 256MB RAM and a 100Mbps Fast-Ethernet
NIC, running OpenBSD 2.7. For all the details about the presented performance
measurements and for additional results refer to [1].
has a linear influence on the performance since these objects are managed using
lists (see Fig. 2d). The more features per audit record are pseudonymized, the
more often the pseudonymizer asks shared for pseudonyms. In addition to the
communication overhead more feature type contexts need to be matched by
the pseudonymizer (see Fig. 2e). The pattern matching is the main cause for
the performance loss when many features need to be pseudonymized per audit
record. In contrast to this the performance loss caused by generating pseudonyms
with larger weights is moderate (see Fig. 2f). There is no additional pattern
matching or communication overhead involved. Increasing the threshold does not
only slow down the generation of pseudonyms using share(), but also the initial
generation of pseudo-random numbers for each distinct feature in a scenario
using initialize() (see initialize() and share() with mpz powm in Fig.
2a in comparison to Fig. 2b). However, in practice the parameters will only in
rare cases reach values as high as shown in Fig. 2. In the next section we show
that even in these rare cases the performance of the pseudonymizer is sufficient
to cope with the audit record volume of a large site.
To be able to judge whether our tools perform fast enough in a real world server
environment we evaluated syslog and Apache audit records from a central server
at the Center for Communication and Information Processing at the University
of Dortmund. The machine hardware consists of a SUN Ultra Enterprise 4000
with 3GB RAM, six Ultra SPARC 168MHz CPUs, three disk arrays totaling
396GB and a 100Mbps full-duplex Fast-Ethernet uplink. The server runs Solaris
7 and about 1050 users are registered, which are employees and students of the
University of Dortmund. During working hours an average of 25 users is logged
on simultaneously. We took into account the following services provided by the
machine: 37 world accessible Apache web servers, one FTP server with about
112000 FTP transfers per month with a volume of 12GB, and email services
(SMTP, IMAP, POP) with about 45000 emails per month.
We evaluated all Apache access audit records collected over a period of 13
days for all 37 web servers. We have also evaluated all syslog audit records
collected over a period of four weeks. We observed, that the pseudonymizer is
able to keep up with the number of audit records generated even in situations
where some audit component generates an abnormally high number of audit
records. See Table 1 for the maximum numbers of audit records we measured.
For more details about the evaluation and for statistics refer to [1].
5 Related Work
Our tools can be applied to server log data in order to hide information that
may directly or indirectly identify the users that accessed the server. There are
other well known services available to achieve this at the price of installing some
client-side software or requiring the user to perform additional steps in order
Pseudonymizing Unix Log Files 173
for the aforementioned MIX technologies. Indeed, even in the case of misuse of a
service by an anonymous user it is infeasible for the provider or for investigating
authorities to establish accountability. Contrary to this our tools provide for
recoverability of pseudonymized data under certain conditions.
Due to this property our work is strongly related to privacy enhanced in-
trusion detection systems. Most of these systems use pseudonymization to hide
identifying information after it has been generated and recorded in audit data.
Some approaches have been published for the Intrusion Detection and Avoid-
ance system (IDA) [23], the Adaptive Intrusion Detection system (AID) [23], a
Firewall audit analyzer [24] and for the Aachener Network Intrusion Detection
Architecture (ANIDA) [25]. These approaches have been reviewed and compared
to our work in [2]. Intrusion detection systems (IDS) do not only give warnings
in case of attacks, they also record evidence for further investigation. In case
an attacker is to be prosecuted, it is desirable to extract identifying informa-
tion from the recorded data. Privacy enhanced IDS support the recovery of
pseudonymized information. A common weakness of existing privacy enhanced
IDS is that they do not technically bind the recovery of identifying information to
a specific purpose such as the investigation of a proceeding attack. Some privacy
enhanced IDS require a third party to cooperate in the recovery process. The
users have to trust that party to allow recovery only for given legitimate pur-
poses. Other privacy enhanced IDS provide no strong protection against recovery
for other purposes [2]. In contrast to this our tools instantly allow for recovery
of pseudonymized data if predefined conditions bound to a specific purpose are
met, but not otherwise.
Similar mechanisms are found in fair offline electronic payment systems. Such
systems allow for anonymous payment as long as no payment unit has been spent
more often than permitted. In the case of double spending of electronic coins,
the perpetrator can be traced [26]. Some of the recovery techniques used are
similar to the scheme our tools employ. Others use group signatures to achieve
recoverability [27].
Payment units in fair offline electronic payment systems are also similar to
anonymous credentials, which can be used for anonymous authentication. Many
schemes for anonymous authentication support identity recovery while employ-
ing different techniques. Some schemes have been related to our approach in
[4]. Since the resources of the target service are accessed using anonymous and
pseudonymous credentials or payment units, the target service does not learn
identifying information about the users during authentication. The users do not
need to trust the target service provider regarding their anonymity. Also, mal-
formed credentials, which do not exhibit the properties required by the target
service can be rejected, avoiding further damage. On the other hand, before they
can access any target service anonymously, users need to register with some third
party to generate credentials and payment units. Since no such infrastructure has
yet been widely adopted, in the meantime service providers can pseudonymize
log data to offer privacy enhanced service access.
Pseudonymizing Unix Log Files 175
6 Conclusion
We motivated the need for technical enforcement of privacy principles and sur-
veyed related work on privacy enhancing technologies. Though many of the re-
lated approaches allow for a strong trust model, they require the user to take
additional steps and/or install client-side software. Also many approaches re-
quire a widely accepted infrastructure for issuing and managing credentials and
payment units. None of these infrastructures is yet in widespread use, i.e. service
providers cannot adopt widely accepted standards.
In contrast to this situation service providers are expected to respect and
protect the privacy of their clients. We supply tools that help to retrofit privacy
protection into existing Unix systems by means of pseudonymization of identify-
ing features in audit data. Different from existing log file anonymizers or privacy
enhanced intrusion detection systems, our approach balances requirements re-
garding anonymity and accountability. That is, pseudonymized identifying fea-
tures can be revealed only if given definitions of scenarios requiring to do so are
satisfied, but not otherwise. A trusted third party ensures that these scenarios
meet the requirements regarding anonymity and accountability. This party con-
trols the technical components that enforce the proper pseudonymization, such
that later on identifying features can be recovered.
We described the trust model and architecture of the tools, and we presented
performance measurements of the pseudonymizer. Finally we demonstrated mea-
surements of the audit data volume generated by a real world system, indicating
that the performance of the pseudonymizer should be sufficient for application
at sites with even larger audit data volume.
References
[1] Ulrich Flegel. Pseudonymizing Unix log files. Technical report, Dept. of Computer
Science, Chair VI Information Systems and Security, University of Dortmund,
D-44221 Dortmund, May 2002. Extended version of this paper.
http://ls6-www.cs.uni-dortmund.de/issi/archive/literature/2002/
Flegel:2002a.ps.gz.
[2] Joachim Biskup and Ulrich Flegel. On pseudonymization of audit data for in-
trusion detection. In Hannes Federrath, editor, Proceedings of the international
Workshop on Design Issues in Anonymity and Unobservability, number 2009 in
LNCS, pages 161–180, Berkeley, California, July 2000. ICSI, Springer.
176 U. Flegel
[3] Joachim Biskup and Ulrich Flegel. Transaction-based pseudonyms in audit data
for privacy respecting intrusion detection. In Hervé Debar, Ludovic Mé, and
S. Felix Wu, editors, Proceedings of the Third International Workshop on Recent
Advances in Intrusion Detection (RAID 2000), number 1907 in LNCS, pages 28–
48, Toulouse, France, October 2000. Springer.
[4] Joachim Biskup and Ulrich Flegel. Threshold-based identity recovery for privacy
enhanced applications. In Sushil Jajodia and Pierangela Samarati, editors, Pro-
ceedings of the 7th ACM Conference on Computer and Communications Security,
pages 71–79, Athens, Greece, November 2000. ACM SIGSAC, ACM Press.
[5] Privacy survey results, January 2002.
http://www.cdt.org/privacy/survey/findings/.
[6] Louis Harris & Associates Inc. IBM multi-national consumer privacy survey.
Technical Report 938568, IBM Global Services, 1999.
[7] Jarek Rossignac et al. GVU’s 10th WWW User Survey, December 1998.
http://www.cc.gatech.edu/gvu/user surveys/survey-1998-10/graphs/
graphs.html#privacy .
[8] Steven R. Johnston. The impact of privacy and data protection legislation on the
sharing of intrusion detection information. In Lee et al. [28], pages 150–171.
[9] National Computer Security Center. US DoD Standard: Department of Defense
Trusted Computer System Evaluation Criteria. DOD 5200.28-STD, Supercedes
CSC-STD-001-83, dtd 15 Aug 83, Library No. S225,711, December 1985.
http://csrc.ncsl.nist.gov/secpubs/rainbow/std001.txt.
[10] National Computer Security Center. Audit in trusted systems. NCSC-TG-001,
Library No. S-228,470, July 1987.
http://csrc.ncsl.nist.gov/secpubs/rainbow/tg001.txt.
[11] Common Criteria Implementation Board. Common Criteria for Information
Technology Security Evaluation — Part 2: Security functional requirements, Ver-
sion 2.1. Number CCIMB-99-032. National Institute of Standards and Technology,
August 1999. http://csrc.ncsl.nist.gov/cc/ccv20/p2-v21.pdf.
[12] C. Lonvick. RFC 3164: The BSD syslog Protocol, August 2001.
http://www.ietf.org/rfc/rfc3164.txt.
[13] syslog.conf. Manual Page.
[14] Martin Roesch. Snort – lightweight intrusion detection for networks. In Proceed-
ings of LISA’99: 13th Systems Administration Conference, pages 229–238, Seattle,
Washington, November 1999. The Usenix Association, Usenix.
[15] Giovanno Vigna, Richard A. Kemmerer, and Per Blix. Designing a web of highly-
configurable intrusion detection sensors. In Lee et al. [28], pages 69–84.
[16] A. Shamir. How to share a secret. Communications of the ACM, 22:612–613,
1979.
[17] OpenSSL cryptographic library, December 2001.
http://www.openssl.org/docs/crypto/crypto.html.
[18] Torbjörn Granlund. The GNU Multiple Precision Arithmetic Library. GNU, 3.1.1
edition, September 2000. http://www.gnu.org/manual/gmp/index.html.
[19] OpenSSL SSL/TLS library, December 2001.
http://www.openssl.org/docs/ssl/ssl.html.
[20] Claudia Eckert and Alexander Pircher. Internet anonymity: Problems and so-
lutions. In Michel Dupuy and Pierre Paradinas, editors, Proceedings of the
IFIP TC11 16th International Conference on Information Security (IFIP/Sec’01),
pages 35–50, Paris, France, June 2001. IFIP, Kluwer Academic Publishers.
Pseudonymizing Unix Log Files 177
[21] Simone Fischer-Hübner. IT-Security and Privacy: Design and Use of Privacy-
Enhancing Security Mechanisms. Number 1958 in Lecture Notes in Computer
Science. Springer, 2001.
[22] Oliver Berthold, Hannes Federrath, and Marit Köhntopp. Project “Anonymity
and unobservability in the internet”. In Proceedings of the Workshop on Free-
dom and Privacy by Design / Conference on Freedom and Privacy, pages 57–65,
Toronto, Canada, April 2000. ACM.
[23] Michael Sobirey, Simone Fischer-Hübner, and Kai Rannenberg. Pseudonymous
audit for privacy enhanced intrusion detection. In L. Yngström and J. Carlsen,
editors, Proceedings of the IFIP TC11 13th International Conference on Informa-
tion Security (SEC’97), pages 151–163, Copenhagen, Denmark, May 1997. IFIP,
Chapman & Hall, London.
[24] Emilie Lundin and Erland Jonsson. Anomaly-based intrusion detection: privacy
concerns and other problems. Computer Networks, 34(4):623–640, October 2000.
[25] Roland Büschkes and Dogan Kesdogan. Privacy enhanced intrusion detection. In
Günter Müller and Kai Rannenberg, editors, Multilateral Security in Communi-
cations, Information Security, pages 187–204. Addison Wesley, 1999.
[26] George Davida, Yair Frankel, Yiannis Tsiounis, and Moti Yung. Anonymity con-
trol in e-cash systems. In R. Hirschfeld, editor, Proceedings of the First Interna-
tional Conference on Financial Cryptography (FC’97), number 1318 in Lecture
Notes in Computer Science, pages 1–16, Anguilla, British West Indies, February
1997. Springer.
[27] Jaques Traoré. Group signatures and their relevance to privacy-protecting offline
electronic cash systems. In J. Pieprzyk, R. Safavi-Naini, and J. Seberry, edi-
tors, Proceedings of the 4th Australasian Conference on Information Security and
Privacy (ACISP’99), number 1587 in Lecture Notes in Computer Science, pages
228–243, Wollongong, NSW, Australia, April 1999. Springer.
[28] Wenke Lee, Ludovic Mé, and Andreas Wespi, editors. Proceedings of the Fourth
International Workshop on Recent Advances in Intrusion Detection (RAID 2001),
number 2212 in LNCS, Davis, California, October 2001. Springer.
GROUP I1 THRESHOLD 6
FACILITY tcplog EVENT ’QUESO’
LEFTFEATURE ’ from ’, RIGHTFEATURE ’ port’ GROUP I1 WEIGHT const(1)
FACILITY tcplog EVENT ’ from ’
LEFTFEATURE ’ from ’, RIGHTFEATURE ’ port’ GROUP I1 WEIGHT const(1)
02:23:37 tcplog[1567]: FIN SYN RST URG : port 41067 from 217.82.199.102 port 42312
13:42:06 tcplog[1040]: SYN RES2 : ftp from 192.168.1.4 port 45691
13:42:06 tcplog[1040]: FIN SYN PSH URG : ftp from 192.168.1.4 port 45693
13:42:06 tcplog[1040]: FIN SYN PSH URG : ftp from 192.168.1.4 port 45693
13:42:06 tcplog[1040]: FIN PSH URG : port 34513 from 192.168.1.4 port 45697
13:42:06 tcplog[1040]: FIN PSH URG : port 34513 from 192.168.1.4 port 45697
13:42:06 tcplog[1040]: QUESO: port 34513 from 192.168.1.4 port 45697
When the tools have been configured for the queso scenario the audit records
in Fig. 4 are pseudonymized by the pseudonymizer. The resulting audit records
are shown in Fig. 5. For the sake of presentation we moved the additional records
generated by the pseudonymizer to the bottom of Fig. 5 while retaining the rel-
ative order of the tcplog records and of the additional records. Note that in the
tcplog records the IP addresses have been replaced by pointers to the additional
5
The PPO additionally might want to pseudonymize the port numbers. This also is
perfectly possible, but for the sake of the brevity of the example we refrain from
doing so.
Pseudonymizing Unix Log Files 179
records. The additional records provide the actual pseudonyms, i.e. the crypto-
graphic material and other information required for the recovery of the replaced
IP addresses. Note that the actual pseudonyms for IP address 192.168.1.4 are
linkable using the identifier d2petb50CXOun4CuLPhluM8. Generally there may oc-
cur audit records describing activity that is definitely not related to any scenario,
but where features need to be hidden. These audit records can be pseudonymized
while omitting the additional records, such that recovery is infeasible later on.
02:23:37 tcplog[1567]: FIN SYN RST URG : port 41067 from a1 port 42312
13:42:06 tcplog[1040]: SYN RES2 : ftp from a2 port 45691
13:42:06 tcplog[1040]: FIN SYN PSH URG : ftp from a3 port 45693
13:42:06 tcplog[1040]: FIN SYN PSH URG : ftp from a4 port 45693
13:42:06 tcplog[1040]: FIN PSH URG : port 34513 from a5 45697
13:42:06 tcplog[1040]: FIN PSH URG : port 34513 from a6 45697
13:42:06 tcplog[1040]: QUESO: port 34513 from a7 port 45697
02:23:37 pseudonymizer: Short=a1 Long=RW4gGPc2dWVLOwXgF20ENg:10:ECmA!_ph6kOhKLZBsMw!H7H2ztc Group=I1
13:42:06 pseudonymizer: Short=a2 Long=5QgfV3!umUu_Fj8MWI2yoA:5b:d2petb50CXOun4CuLPhluM8 Group=I1
13:42:06 pseudonymizer: Short=a3 Long=sW7bl67oOo1G5eiBpmu7hg:5c:d2petb50CXOun4CuLPhluM8 Group=I1
13:42:06 pseudonymizer: Short=a4 Long=wdEey!pfsM4jGtz91yejZw:5d:d2petb50CXOun4CuLPhluM8 Group=I1
13:42:06 pseudonymizer: Short=a5 Long=Fi7o9GJU!A5SwY0!dAcxsA:5e:d2petb50CXOun4CuLPhluM8 Group=I1
13:42:06 pseudonymizer: Short=a6 Long=rog6EObIHE3V5moFBlAr8Q:5f:d2petb50CXOun4CuLPhluM8 Group=I1
13:42:06 pseudonymizer: Short=a7 Long=it0SIYe5EYysleQNF0haNg:60:d2petb50CXOun4CuLPhluM8 Group=I1
02:23:37 tcplog[1567]: FIN SYN RST URG : port 41067 from a1 port 42312
13:42:06 tcplog[1040]: SYN RES2 : ftp from 192.168.1.4 port 45691
13:42:06 tcplog[1040]: FIN SYN PSH URG : ftp from 192.168.1.4 port 45693
13:42:06 tcplog[1040]: FIN SYN PSH URG : ftp from 192.168.1.4 port 45693
13:42:06 tcplog[1040]: FIN PSH URG : port 34513 from 192.168.1.4 port 45697
13:42:06 tcplog[1040]: FIN PSH URG : port 34513 from 192.168.1.4 port 45697
13:42:06 tcplog[1040]: QUESO: port 34513 from 192.168.1.4 port 45697
02:23:37 pseudonymizer: Short=a1 Long=RW4gGPc2dWVLOwXgF20ENg:10:ECmA!_ph6kOhKLZBsMw!H7H2ztc Group=I1
Fig. 6. Sample pseudonymized audit records from Fig. 5 with recovered features
The audit records in Fig. 5 are transferred to the SSO. When the SSO detects
the queso scan contained in the audit records in Fig. 5 he uses the reidentifier
to recover the IP address features associated with the satisfied queso scenario.
The resulting audit records are shown in Fig. 6. Note that the pseudonym in the
first audit record in Fig. 6 is not revealed since it corresponds to an IP address
not involved in the queso scan originated at IP address 192.168.1.4.
DPS: An Architectural Style for Development of
∗
Secure Software
1 Introduction
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 180–198, 2002.
c Springer-Verlag Berlin Heidelberg 2002
DPS: An Architectural Style for Development of Secure Software 181
2 Related Work
modes of users, provides access support for various devices, supports distributed
search of users and artifacts, offers user management facilities in a way where
users can be grouped in communities. The MOTION platform also contains an
access control mechanism.
Presentation Layer
Presentation Layer
Communication Middleware
Communication Middleware
Event Based system Peer−to−Peer File Sharing
Event Based system Peer−to−Peer File Sharing
In this section, we discuss the integration of the components listed above. The
purpose of this section is to illustrate (1) the need for the DPS style, and (2) the
benefits we would gain if we had used this style right from the beginning of the
development process. We focus on the integration of the TWS layer components
with the access control module. This integration essentially consists of inserting
the instructions for access control in each public method of the TWS layer. An
example is presented in Listing 1. The method addMember is shown. The purpose
of this method is to add a user to a community. The access control check is
performed at line 7. The lines 3 to 6 prepare the arguments for invoking the
operation checkPermission performing the permission check. This integration
had to be performed for approximatively 110 methods made available by the
TWS layer. Initially, 100 person-hours were foreseen for this task. At the end
we needed about 320 person-hours, more than 200 % time over-run! What went
wrong?
users and components. Each public method of the TWS layer performs access
control checks. This is because most of these methods are also directly invoked
by the presentation layer or business specific services. The implication is that
for invoking the method addMember, three different access rights are required:
– the access right add-member required by the operation addMember. This ac-
cess right ensures that the user invoking the operation has the permission to
insert a user into the target community.
– the access right write ensures that the user has the permission to write to
the repository.
– the access right publish is checked by the TWS publish/subscribe for en-
suring that the user has the permission to publish the specified event.
Service S0 Service S0
MOTION system, there exists a list of components (or a list of methods, de-
pending on the granularity) allowed to invoke it. Thus, if some malicious code
wants for instance to modify the access control list stored in the repository, the
operation fails since this code is not allowed to interact with the repository. The
principle is similar to code access control provided in the Java environment [15].
Given these two techniques, we are able to efficiently protect the MOTION
platform. We strongly believe that the experience gained in securing this plat-
form can be useful to other software developers. We therefore propose to capture
its quintessential properties through an architectural style that abstracts away
from MOTION specific details.
Vocabulary
In its basic version, the DPS recognizes three types of components: a user access
control component, a code access control component, and the set of components
forming a system and interacting with the user and code access control compo-
nents. In case of MOTION, such components are, for instance, the repository,
the artifact manager, or the community manager.
A component is called protectee of a user/code access control component
if one of its services interacts with this user/code access control component.
This user/code access control component is called a protector of the protected
component. Further, a component that makes available a service interacting
with a user access control component is said to be user access controlled. If the
component rather interacts with a code access controller, it is said to be code
access controlled.
DPS: An Architectural Style for Development of Secure Software 187
For instance, all methods of the TWS layer are code access controlled while
all methods of the ACTWS layer are user access controlled.
The connectors between protectees and protectors are called access control
checks or permission checks. There exist two kinds of permission check: user
permission check and code permission check. A user permission check is initiated
by a protectee towards a user access control component. This is a request to the
user access control component to check the authorization of a user to access an
object. Similarly, a code permission check is a request to a code access controller
to decide on the authorization of another application to make use of the requested
service.
Invariants
The DPS style constrains the behaviors of protectors and protectees by means
of two invariants. The first invariant is best explained in terms of CSP traces
[2]. A trace is a sequence of events that a process (or a service) allows. An event
is an atomic action, i.e. it cannot be decomposed. In this respect, we consider
permission checks as events. A permission check cannot be decomposed into
other events. The implication is that any process performing permission checks
is not atomic. We use the terms service and process equivalently. An application
satisfies the DPS style if each of its processes satisfies the DPS invariants. Such
an application will be said to be DPS protected.
The first invariant of the DPS style ensures that the number of occurrences of
user permission checks in each process is equal to 1. The number of occurrences
of an event, say a, in a trace T is denoted by T ↓ a.
An example of a system S , consisting of the services S0 , S10 , S11 is il-
lustrated in Figure 3 together with its call graph. Its processes are defined
as traces(S11 ) = UP .CP .A2 , traces(S10 ) = UP .CP .A1 , traces(S0 ) =
CP .UP .CP .A2 , CP .UP .CP .A1 . UP and CP are user and code permission
checks respectively and A1 and A2 are actions other than permission check.
This system satisfies the first invariant of the DPS style. In fact, UP .CP .A1 ↓
UP = 1, UP .CP .A2 ↓ UP = 1, CP .UP .CP .A1 ↓ UP = 1 and CP .UP .CP .A2 ↓
UP = 1.
Informally, this invariant prescribes that user permissions should be checked
only once for each task that a user performs. It does not prevent methods from
performing various permission checks, but ensures that all permission checks
must be performed in an exclusive manner so that only one of them can be
executed each time.
For a program that has no permission checks in if-else blocks, the invariant
can be expressed in terms of its call graph. In this case, there should be one
method performing user permission check in each path of the call graph. An
example is depicted in Figure 3. On each of the paths of this call grapth, there
exists exactly one service that initiates a user permission check.
In general, this invariant cannot be expressed in terms of a call graph since
a method whose body includes the instruction
if(condition) user-permission-check-1 else user-permission-check-2
188 P. Fenkam et al.
satisfies the first invariant of the DPS style but is said to contain two permission
checks (following the definition of call graphs [26]).
The second invariant of the DPS style ensures that each service performs at
least one code permission check. In other terms, all methods must be protectee of
some code access controller. Considering the example of Figure 3, all services S0 ,
S11 , S10 perform code permission checks. Unlike the first invariant, the second
invariant is easily expressed in terms of methods instead of traces.
Note that the way how the access controller decides on whether users or code
have permissions depends on each architecture (thus instance of the style).
The DPS style supposes that the identities of users and code can be verified.
That is, there exists a reliable mechanism for determining which user/service is
requesting a service. Though there exist different mechanisms for authenticating
users, this is not the case for code. Considering two services hosted by two
different computers and communicating by means of a handshake protocol it
is difficult for each of them to verify the identity of the application running at
the other end. This problem, however, does not exist when the components are
co-located and one is accessing the other through a direct method call. In Java,
for instance, the stack inspection algorithm provides the facility of determining
which methods are currently being executed.
with its central example of use. Thus, in practice, we will not consider systems
that practically behave as specializations of the DPS style as violation of this
style.
The only case that intriguingly violates the DPS style is when there exists a
trace of the application where the number of occurrences of the user permission
checks is greater than 1. Such a case is shown for instance in Figure 4. The
branch of the call graph composed of the invocation of S0 , S01 contains two user
permission checks. In terms of traces, we have
traces(S0 ) = CP .UP .CP .UP .A2 , CP .UP .CP .A1 and CP .UP .CP .UP .A2 ↓
UP = 2. The mv command of the UNIX/LINUX operating system is an example
of an application that does not satisfy the DPS style (although an equivalent
command can be implemented that satisfies DPS). For moving a file to a di-
rectory, one needs to have the permission to read that file and the permission
to write to the target directory . The command less on the other hand satis-
fies the DPS style. These commands are applications that are constructed using
the system calls of the operating system such as sys read and sys write [13].
A question that can be raised is if the UNIX/LINUX operating system itself
satisfies the DPS style . We are currently investigating this issue.
Code access control is not specific to Java. The concept of domain type
enforcement [1] originally proposed for Unix ensures that code modules are per-
mitted to access only a controlled set of resources (including other modules).
Advantages
Our style provides a number of advantages. Most of them are oriented towards
facilitating the development of access controlled applications. Therefore, we con-
centrate on these features first and not on the security capabilities of our style.
The DPS style proposes a clear architecture for easily constructing usable, and
secure applications. We are not aware of a similar architectural style for building
secure systems.
Starting with the DPS style, the developer knows from the beginning of
the development process exactly what actions are to be carried out. He can
decide exactly where to perform security checks in his components, decide on
which protectors to use, and what the implications are in terms of dependability,
architecture, and maintenance. In general such an architectural style forces the
software developer to take security into consideration very early in the design of
its architecture.
Applications based on the DPS style are easier to administer. In fact, the
administrator knows that for each task, there is at most one access right that
must be owned. This is obviously much simpler than administrating an appli-
cation where tasks require many different permissions. Moreover, the behavior
of applications where operations require many access rights might sometimes be
unexpected. Considering the case of addMember presented above, it is difficult to
assign to a user the permission to add users to a community without assigning
him the permission to publish events related to the profile of this user such as
“user is online”, or “user is expert”. An undesirable side effect! This side effect
190 P. Fenkam et al.
[15] where the two connectors are strongly coupled. The separation between these
connectors obviously allows security engineers to finer control security mecha-
nisms to match their needs.
Shortcomings
The DPS style relies on the identity of client components. This leads to a subtle
limitation in the application of the DPS style in distributed environments. This
limitation occurs when it is not possible to verify the identity of the requesting
service. Let us consider for instance an architecture based on services S01 , S02 ,
and S1 where S01 and S02 both request S1 . All communication between these
services is performed by means of handshake protocols. This means that these
services have no methods for verifying the identity of the code with which they
communicate. Following the DPS style, user permission checks must be per-
formed either by S01 and S02 or by S1 . In the first case, however, S1 is totally
vulnerable to attacks since there is no way to establish the authenticity of its
callers and thus to perform code permission checks.
In the second case, user permission checks must be done by S1 (following
DPS). This however is not always feasible. S1 might be a commercial service
made available by a third party while S01 , and S02 are independent services
constructed upon S1 . The recommendation of the DPS style would thus mean
that S1 must manage a user access control component and policy for S01 and
S02 which is not practicable. A concrete example of this scenario is where S1 is a
search engine such as Google and S01 is a MOTION service. There is no reason
why Google should perform access control for the MOTION platform.
We propose two solutions to this limitation. The first solution consists of
relaxing the second invariant of the DPS style. This relaxation consists of iden-
tifying remote applications through the name of the computer hosting them
(possibly combined with some other authentication information). The second
solution relies on using middleware such as RMI or CORBA. They give appli-
cations the possibility to question the identity of a caller. In both solutions, the
application of the DPS style is risky. The risk in the first solution is obviously
bigger than in the second solution. In the first solution, some malicious code
can still attack a remote service if it is located on a host authorized to interact
with this service. In the second case, one needs to fake the implementation of
RMI/CORBA that is used to communicate with the remote service. The fake
implementation will thus masquerade the identity of the caller. Obviously one
is more protected in the second case, whose dependability can be improved by
using further authentication information.
A second shortcoming that can be attributed to the DPS style is the lack of
defense in depth. The idea behind defense in depth is to provide diverse defensive
strategies, so that if one of them fails the other can still prevent a full breach.
If we consider the example shown in Figure 3, if a security breach succeeds in
S0 , by means of buffer overflow for instance, the attacker gains control of the
system. He can perform everything that the services that S0 is normally allowed
to perform. There exists a solution to this limitation that even produces the
192 P. Fenkam et al.
same results as the DPS style. This solution consists of reformulating the first
invariant of the DPS. This reformulation proposes not to limit the number of
user permission checks in traces to one, but requires that all user permission
checks in a trace be equivalent. We say that two user permission checks are
equivalent if the related user access controllers return the same answers given
similar input. We, however, prefer the actual version of the invariant since it is
much simpler and intuitive enough to be understood and successfully applied by
the average programmer.
The Alloy specification language was designed by Daniel Jackson [11]. It is a first
order language that can be viewed as a subset of Z [4]. Alloy is a declarative lan-
guage similar to the formal specification languages Z [4], and VDM [20]. Unlike
these languages, Alloy is automatically analyzable in the style of model checking.
Models described using this specification language are called micromodels. They
are intended to be tiny models that focus on the risky parts of a system.
It might be argued that a model should intrinsically abstract from details and
thus be an order of magnitude smaller than the system it models. This observa-
tion holds! From our experience [5], however, the kind of verification mechanism
available for a specification language plays an important role. Considering the
example of VDM, the automatic verification facility available up to now is test-
ing (facility provided by the IFAD VDM Tools [24]). To be amenable to testing,
however, a VDM-SL specification has to be interpretable and thus written in an
executable subset of VDM-SL. Thus, the designer is distracted from the goal of
producing a tiny model to the goal of producing an interpretable model. Though
interpretable models are an order of magnitude smaller than the systems they
model, they are also an order of magnitude bigger than non-interpretable models.
With its automatic analyzer, the Alloy specification language allows the designer
DPS: An Architectural Style for Development of Secure Software 193
As the reader must have noticed, the two invariants of the DPS styles are based
on two different views of applications. The first is based on CSP traces and the
second is based on a methods view. The following specification is based on these
two views. In this specification, we restrict the notion of trace to the alphabet
of this trace. Thus, considering for instance the trace a, b, c, d we denote it as
{a, b, c, d }. This simplification has no influence on our invariants since they only
constrain the number of occurrences of some actions, but not their order.
194 P. Fenkam et al.
The line 1 of the specification defines the name of the module includ-
ing the style. The line 3 declares the type Event. An event is decomposable.
Two kinds of events are of particular interest, CodePermissionCheck and
UserPermissionCheck declared at line 5. These two kinds of events are disjoint
(denoted with disj), no event can simultaneously be user permission check and
code permission check. A trace is defined by a set of events (line 7). Empty traces
are explicitly excluded from our specification. The fact TraceEquality ensures
that two traces are equal if and only if the have the same alphabet. This is not
true in general (see [2]). We define a service using two different views, a method
view and a trace view (line 9).
In the first view, a service simply consists of a set of traces. In the second
view, a service is defined as a service that further invokes other services and
actions. The set of services a service invokes is not of interest to us but the set
of actions it invokes is. The set of actions invoked by a service must be a subset
of each of its traces.
We further define a system as composed of user services and internal services.
User services are services that are avaialble to users of the applications. Internal
services are services that are not directly accessible to users but probably to
other services. Systems that define service are not of interest to us (line 15).
Besides this restriction, we require that no service be simustaneouly user service
and internal service. A DPSSystem is a kind of system (line 22) whose behavior is
constrained by invariants Invariant 1, and Invariant 2 (line 24). Invariant 1 (line
25) requires that any user service of a DPSSystem performs exactly one user
permission check —be it directly or indirectly. That is, given a DPSSystem, any
trace of any of its user services must contain exactly one user permission check.
Invariant 2 (line 27) ensures that each service —be it user service or internal
service— be protected by means of code permission checks.
The remainder of the section explains some assertions on the DPS style. The
Alloy automatic analyzer is used to verify these assertions.
Considering the implicit fact that each permission check is oriented towards
an access controller the existence of a user/code permission check implies the
existence of a user/code access controller. We thus prove that each DPS system
has a user/code permission check. The formulation of this theorem is given at
line 33. It stipulates that the alphabet of any DPSSystem includes some user
permission checks and some code permission checks. The verification of this
theorem is done by instructing the analyzer to check it (line 36). The analyzer
fails to find a counter-example.
Theorem 3 (Non-DPS System Existence). Not every system is a DPS Sys-
tem.
We already showed that there exists some DPS system. However, in the counter
example given by the analyzer, all systems are DPS systems. This raises the
question of whether there exists a system that is not a DPS system. We pretend
that the set of all systems is equal to the set of all DPS systems (line 38). The
analyzer is able to find a system that is not a DPS system, thus falsifying our
assertion.
Theorem 4 (DPS Layered View). Any DPS System has a 3 layer architec-
ture.
We classify the set of services in three categories. The first category consists of
services that contain a user permission check in their traces, but not in their
actions. In other words, this is the set of services that do not directly invoke
196 P. Fenkam et al.
user permission checks, but invoke other services that eventually perform user
permission check (line 41). The second category of services consists of services
that directly perform user permission checks thus have a user permission check
in their set of actions (line 44). The third category of services is the set of services
that has no user permission check in their traces (line 46). We show at lines 48-
50 that these three layers are disjoint each from the others. We finally show at
lines 52-54 that any DPS system is composed of these three disjoint layers. This
theorem is illustrated by the MOTION layered architecture. The second layer
is the ACTWS layer, the first layer is composed of all components below the
ACTWS layer, and the third layer is composed of the business specific services
and the presentation layer (see Figure 2).
We have formulated and analyzed other theorems on the DPS style. These
theorems, however, are based on some other views, and thus other specifications
and are not presented here.
6 Conclusion
We presented the Dual Protection Style, an architectural style for building access
controlled software systems. This style distinguishes three kinds of components:
user access control components, code access control components and protectees.
Protectees are components whose services are protected by access controllers.
The connectors between protectees and access control components are called
permission checks. The DPS style constricts the interaction between protectees
and protectors by means of two invariants. Besides an informal description of
this style, we presented some of its advantages and shortcomings. We finally
presented a formal specification of the DPS style using the Alloy specification
language and verification of some of its properties.
A question that can be raised is how are applications constructed without
the DPS style. We have presented a class of applications whose architectures
are said to be degenerate forms of the DPS style that behave practically like
instances of the DPS style. We gave examples of applications in this class. The
notion of code permission recently raised attention (due to Java) although it was
already investigated in the UNIX environment under the concept of domain type
enforcement. We presented a framework of how to combine it with user access
control.
The DPS style is not a panacea that is applicable in all cases. We presented an
example application that does not satisfy the DPS style. Most advantages that
we presented concerning this style are related to usability and easy applicability.
The next step is to investigate how to specify the security properties of this style
and how to prove them.
Another issue that needs to be clarified is that of composition. Is DPS com-
patible to software development approaches such as component based develop-
ment? The answer to this question is yes. Components can still perform different
user permission checks and being composed in a system that satisfies DPS. For
this, the access control system must intentionally be built to support DPS. We
DPS: An Architectural Style for Development of Secure Software 197
are currently constructing such an access control system. The idea behind it is
to have a global context variable that records if a user permission check was
already performed for a given trace. If so, the permission check is ignored and
otherwise performed.
References
19. Gian Pietro Picco and Gianpaolo Cugola. PeerWare: Core Middleware Support for
Peer-To-Peer and Mobile Systems. Technical report, Dipartimento di Electronica
e Informazione, Politecnico di Milano, 2001.
20. Nico Plat and Peter Gorm Larsen. An Overview of the ISO/VDM-SL Standard.
In ACM SIGPLAN Notices. ACM SIGPLAN, September 1992.
21. Gerald Reif, Engin Kirda, Harald Gall, Gian Pietro Picco, Gianpaola Cugola, and
Pascal Fenkam. A web-based peer-to-peer architecture for collaborative nomadic
working. In 10th IEEE Workshops on Enabling Technologies: Infrastructures for
Collaborative Enterprises (WETICE), Boston, MA, USA. IEEE Computer Society
Press, June 2001.
22. Michael P. Ressler. Security sensitive software development. In IEEE International
Carnahan Conference on Security Technology (ICCST), 1989.
23. Sun Microsystem. Security code guidelines. Technical report, Sun Microsystem,
February 2000. Available at http://java.sun.com/security/seccodeguide.html.
24. The Institute of Applied Computer Science, IFAD. The IFAD VDM Toolbox. IFAD
Danemark, 1999. Available from www.ifad.dk.
25. The Open Group. Guide to Security Patterns, Draft 1. The Open Group, April
2002. Available at www.opengroup.org.
26. Frank Tip and Jens Palsberg. Scalable Propagation-based Call Graph Construction
Algorithms. In Proceedings of the ACM Conference on Object Oriented Program-
ming Systems, Languages and Applications (OOPSLA 2000). ACM Press, October
2000.
27. John Viega and Gary McGraw. Building Secure Software, How to Avoid Security
Problems the Right Way. Addison Wesley Professional Computing Series, 2002.
28. Joseph Yoder and Jeffrey Barcalow. Architectural patterns for enabling applica-
tion security. In Proceedings of the Pattern Languages of Programming (PLoP)
Workshop, September 1997.
A New Infrastructure for User Tracking Prevention and
Privacy Protection in Internet Shopping
Abstract. Web technologies provide several means to infringe user privacy. This
is especially true when customers buying tangible goods submit orders that contain
their real identity and physical address. Then, in practice, the vendor can link this
information with all information gathered about the customer, obtained through
various means. In this paper, we present a solution that is based on mobile agents
and a new infrastructure consisting of a mobile agent base station and a cardinality
observer. This infrastructure can be used to prevent the vendor from directly
linking information gathered about the customer with identifying information
usually contained in the customer’s order. The vendor can only assign customers
to their correct profiles with some probability which depends on the number of
candidate profiles. The new infrastructure allows the customer to decrease this
probability in several ways. The usage of both the cardinality observer and the
mobile agent base station deterministically guarantees to the customer that an
agent only starts its journey when a desired threshold for the linking probability
has been reached. In a second variant using only the mobile agent base station, the
linking probability is decreased in a probabilistic manner by introducing a fixed
delay before mobile agent release.
1 Introduction
Privacy threats and problems in the context of electronic commerce are extensively
discussed in literature since the discovery of the economical importance of the Internet.
In academic work done so far, solutions were mostly proposed for those cases in which
the trade objects are restricted to intangible goods, e.g., see [2,11]. There, all phases of a
typical business process consisting of search, order, pay, and deliver can be performed
electronically. As a consequence, technical means developed so far for communication
networks can be used to protect a customer’s privacy, e.g., anonymity networks [9,12].
When dealing with tangible goods —e.g., books, CDs—, these techniques can also
be used. In the search phase, when the buyer browses through the product catalog,
anonymity networks can be used to prevent re-identification and to protect the buyer
against some threats, e.g., price discrimination. But unfortunately, these techniques can-
not be used to prevent linkability between the phases which allows the vendor to learn
much more about the buyer than necessary for carrying out the business process.
In practice, in order to receive a tangible good a buyer has to reveal his identity and
address to the vendor for reasons of delivery. It is not realistic to assume that either all
buyers get their ordered goods in a poste restante manner where the identity of a buyer
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 199–213, 2002.
c Springer-Verlag Berlin Heidelberg 2002
200 M. Enzmann, T. Kunz, and M. Schneider
can remain hidden, or that an additional third party receives the package on behalf of
the buyer in order to hide his identity. Thus, the vendor learns at least who is buying
what. But presently, the vendor can learn much more. Since the vendor can link the data
given to him during the order phase to the buyer’s activities during the search phase,
the vendor gets much deeper insight into the buyer’s interests than necessary for the
following phases of the business process. This situation can be compared to physical
world scenarios, where one is being completely traced while walking through a shop
before going to the cash desk. The vendor’s ability to link these two phases is achieved
by using several tracking mechanisms.
The goal of this work is to present a convenient solution that prevents the vendor from
linking data collected during the search phase with data obtained in the order phase of the
same business process. In this work, we propose a mobile agent system and a specific
infrastructure to solve the problems described above. Instead of filling goods into a
virtual trolley during the search phase, the customer inserts the order information into a
mobile agent. This agent is send to a central mobile agent base station, a component of
our infrastructure, which is permanently online. From this base station, the agent starts
its journey. After having finished its tasks it returns to its base station.
The solution provides some additional useful features. By using another infrastruc-
ture component, the cardinality observer, it can be guaranteed that the agent is only sent
when a desired number of candidates has been reached. As a direct consequence, this
results in a linking probability that is below a specific value. In another weaker approach,
the buyer can define a certain delay between the transfer of the agent and the start time of
the agent’s journey. Thus, there is the possibility to increase the cardinality of the group
of potential candidates to be associated to a product, and thereby reducing the linking
probability for the vendor in a probabilistic way. Another advantage of our solution re-
sults from mobile agent functionality. Due to its capability to actively make decisions
with regard to results that were created on its journey, it is possible to define orders
depending on the availability of products from previous orders of the same shopping
tour.
2 Tracking Users
The vendor’s ability for linking buyer activities can be based on several technical pos-
sibilities for tracking them in HTTP communication. Here, tracking means the re-
identification of a user subsequently sending requests to a server. We can distinguish
between the re-identification of users in distinct sessions and the re-identification of
users within one session, possibly in different phases.
2.1 Profiles
As long as customers do not prevent the vendor from tracking them the vendor is able to
record profiles. Such profiles can be understood as a sequence of requests for resources —
like web pages— that can be associated with one session, and thereby with one customer,
using the methods presented below. Eventually, the vendor’s database contains a variety
of profiles prof1 , . . . , profm that could be exploited afterwards. When a customer clicks
A New Infrastructure for User Tracking Prevention and Privacy Protection 201
Product identifiers. One way of identifying a buyer’s search phase a posteriori is using
specially encoded product identifiers (PIDs). Such an identifier could contain a static part
that refers to the product and a dynamic part that identifies a certain search phase. Since
customers are used to numeric PIDs, they will not notice that they are given information
leaking PIDs.
Prices. By giving different customers different prices, prices can also be used for the
purpose of linking phases when contained in an order. In contrast to PIDs, prices only
allow unique re-identification in theory. In practice, a vendor only has a finite range of
prices which customers are willing to pay for a given product. If this range is depleted
it is necessary to re-use some of the prices, and thereby uniqueness is lost.
Product ordering. Another method for content tracking is correlating the sequence in
which products were clicked in the search phase with the product sequence submitted in
a buyer’s order. This is possible, since the ordered goods normally appear in the vendor’s
collected profile —possibly interleaved by other products that have been viewed but not
ordered— in exactly the same sequence as in the buyer’s order. As with prices, using
product ordering for mapping profiles to buyers is probabilistic, since there can be several
candidates.
3 Threats to Privacy
In today’s web practice, we can identify a lack of privacy enhancing technologies [3]. It
can be assumed that this lack of adequate privacy enhancing technologies is an additional
barrier for the diffusion of e-commerce applications [4,13]. Thus, there is a need to
change the present situation by the introduction of new technical solutions that allow to
avoid, or to reduce the invasion of privacy.
In practice, a customer that decides to buy a tangible good electronically, usually
has to reveal his identity and address to the vendor in order to allow delivery. Thus, a
vendor clearly learns who is buying what. But by tracking the user through the whole
business process, the vendor learns much more, e.g., what other products the customer is
interested in. This data can be used to enrich the customer’s profile stored in the vendor’s
database, and thereby, to obtain a more profound basis for customer categorization to be
used for data mining.
4 Mobile Agents
Mobile agents are autonomous programs, which migrate through a network of sites to
accomplish tasks or take orders on behalf of their owners. The owner of an agent can
instruct it to visit many hosts in a network, and thereby execute some desired tasks for
him. After having carried out all instructions, the agent returns to its base station and
delivers the results it collected during its journey to its owner. One of the advantages
for using mobile agent technology is that transaction costs for the agent owner are
remarkably reduced since after leaving its owner it migrates from one host to the next
autonomously. Thus, during this period the owner is not required to maintain his online
A New Infrastructure for User Tracking Prevention and Privacy Protection 203
connection to the network. In the past years, lots of work has been done in the area of
mobile agents and there is a variety of mobile agent systems, e.g., Aglets [7].
In the following, we will not focus on a specific mobile agent system. We will consider
mobile agents in a rather abstract way. This means that exclusively those components
of mobile agents will be considered which are of special relevance for the solution
presented in this paper. In our level of abstraction a mobile agent a consists of the
following components: a = (bc, r, d, δ). The component bc denotes the binary code
of the agent to be executed. Furthermore, r describes the mobile agent’s route as an
(n + 1)-tuple (with n ≥ 1) consisting of host addresses ad(si ) that have to be visited on
the agent’s journey: r = (ad(s1 ), . . . , ad(sn ), ad(bs)). This route is given by the agent
owner. The agent starts its journey at a base station bs where it returns to when it has
visited the stations contained in the route. Since the first migration is bs → s1 , the first
route entry is given by ad(s1 ). The component d denotes the data given by the agent
owner. This data will be used as input for the computations at the hosts s1 , . . . , sn on
the agent’s journey. Thus, we can think of it as d = (d1 , . . . , dn ) where di means the
input data for si with 1 ≤ i ≤ n. The data obtained as an output of the computations
are contained in δ. Similarly, we have here δ = (δ1 , . . . , δn ).
The principle of how to deal with r̃ is as follows. The base station learns through the first
entry of r̃ where to dispatch the agent. Before the agent is sent to s1 , bs deletes this entry
from r̃. When s1 receives the agent with the new r̃, it decrypts the ciphertext contained in
204 M. Enzmann, T. Kunz, and M. Schneider
r̃ and obtains the successor address ad(s2 ), a signature, and a further ciphertext. Before
sending the agent to s2 , the address and the signature are deleted from r̃. This procedure
will be repeated until the agent arrives at sn−1 . Here the last decryption is necessary, i.e.,
sn−1 gets the last address ad(sn ) and signature contained in the onion. After deletion
of these parameters from r̃, the agent is sent to bs as defined by the last entry ad(bs).
The idea of the route protection is that visited hosts do not learn to which hosts the agent
migrates to except their respective predecessor and successor. If the agent owner has the
interest that visited hosts do not get information about other hosts contained in the route,
he can introduce dummy hosts in the route that just forward the agent.
The signatures contained in r̃ and d˜ provide data integrity, and allow that modifica-
tions can be detected. The signatures depend on several agent components that prevent
attackers from the exchange of components taken from different agents belonging to the
same agent owner b.
After having produced the computation results δi at host si , they will be signed by
˜ At the end of the journey, the agent
si . Thus, we define δ̃i = Eb (δi , Sigsi (δi , bc, d)).
contains all computation results, i.e., δ̃ = (δ1 , . . . , δ˜n ). Initially, portions δ˜i are empty.
˜
In the following, we assume that an agent ã consists of the following components:
˜ δ̃).
ã = (bc, r̃, d,
In the following, we show how to prevent a vendor from linking gathered information
about a buyer obtained by tracking him during the search phase with his real identity
when he submits an order. In 6.1, we show how to deliver an order with an agent. In
6.2 and 6.3, we explain how different kinds of tracking are prevented. In 6.4, we point
out how the linking probability for the vendor can be decreased by using functionalities
of the new infrastructure components. Routes containing several vendor addresses are
discussed in 6.5.
For simplicity, we assume that a buyer b decides to buy at just one vendor, say s1 . While
searching through s1 ’s catalog, b has a look at various products, and finally decides to
buy a subset p1 , . . . , pk of these products. During this time, s1 can track b’s activities
and store them in a new profile, say profi , which belongs to a single identity, but he
is unable to map these activities to b’s identity. Then, b creates the order information
including identifiers of these products, his name and address, to be contained in d1 . After
that, b creates d˜ = Ee1 (d1 , Sigb (Ee1 (d1 ), bc)) and r̃ = (ad(s1 ), ad(bs)), and finally
˜ δ̃), with δ̃ = ∅.
ã = (bc, r̃, d,
In a next step, b will transfer ã to the base station bs and instruct it to dispatch ã. This
base station is maintained by a specialized mobile agent base provider. This provider
does not play the role of a trusted third party in the usual sense. In fact, the buyer’s
trust in the provider is rather minimal. Since the provider does not get any information
about the search phase, he cannot exploit this information for himself nor pass it to
others. This is due to the fact that the agents do not contain information like IP address,
A New Infrastructure for User Tracking Prevention and Privacy Protection 205
cookie information, or dynamic URLs that can be exploited by the vendor for linking.
The provider is trusted that he does not give the buyer’s IP address to the vendor, that
he does not delete agents after having received them, and that he does not release the
agents earlier as declared (to become clear later).
Now, ã can migrate to s1 and deliver its data d1 . Since d1 is encrypted asymmetrically,
it can only be opened by s1 , i.e., bs does not learn which products were ordered by b.
Furthermore, s1 can check by verifying the signature if the order was undeniably created
by b and if it was modified. When the data contained in the agent does not seem to be
˜ to be handed over to
corrupted, s1 creates the output δ1 and δ̃1 = Eb (δ1 , Sigs1 (δ1 , bc, d))
the agent. E.g., such a computation output could be s1 ’s confirmation of having received
the order and a declaration of carrying it out immediately. For integrity reasons, all
outputs should be signed by the vendor. Afterwards, the agent is sent to bs according to
the last route entry ad(bs). There, ã waits for b until he connects the next time to bs.
Prices. Another possibility to increase the linking probability could be achieved via
variable pricing strategies. E.g., an unfair vendor could offer the same product at slightly
differing prices. When he later receives an order that contains the price presented in the
offer then the vendor can easily exclude all those profiles from the potential set of
candidates in which he offered the specific product for a different price. If the buyer
does not send the prices the vendor might sell him the ordered goods at (theoretically)
any price. In order to prevent this, we propose that the vendor gives a temporary price
guarantee for any product he sells, i.e., he commits himself to charge a fixed price for
a given product for some period of time. This could be realised, e.g., by creating and
publishing a vendor-signed document that contains the products, their respective prices,
and the validity period. This guarantee can be downloaded by the buyer and be kept
for later reference. Of course, the concept using guarantees only works in cases where
prices do not change too frequently. If a vendor serves customers with distinct price
guarantees in order to track them, then he does not know the exact prices at which he
offered his products to a specific customer. Thus, if he is trying to identify a buyer by
his offered prices, the vendor can only guess the price a customer expects according
to his downloaded guarantee. Should the vendor make a wrong guess to the buyers
disadvantage, he could present his price guarantee, proving that the vendor tried to
deceive him. In this case, since the price guarantee is disclosed, the vendor would be
able to link a profile to the customer. However, disputes are unattractive for the vendor
because if they occur frequently the vendor’s reputation will degrade. In addition, if the
vendor makes a wrong guess to the buyer’s advantage, i.e., billing him for a lower price
than he expected, then he will surely accept and the vendor lowers his profit and also
would link to a wrong profile.
Product ordering. In order to counter the effects of correlating the click sequence profi
from the search phase with the product ordering in the order, the buyer should have the
possibility to arrange the PIDs in an arbitrary sequence. This sequence can be randomly
created, or obtained by sorting the PIDs, e.g., in lexicographic order. This is sufficient as
long as there are other profiles stored in s1 ’s database produced by other customers that
also viewed at least p1 , . . . , pk in one session and therefore help to decrease the vendor’s
linking probability.
Start of Journey Dependent on Time. We propose that the base station should provide
a service for the buyer to define a delay between receiving the agent from the buyer and
dispatching it, eventually. Since this delay is unknown to the vendor, he does not know
whether to link the order with profiles stored in the past minutes, hours, or even days. In
order to have the correct profile with high probability in the set of candidates, the time
A New Infrastructure for User Tracking Prevention and Privacy Protection 207
interval considered by the vendor should be large. But then, µ can also be assumed to
have increased. Of course this depends on the specific statistics of the vendor’s web site.
The dispatching time can be specified by the buyer by instructing the base station not to
release the agent before a delay ∆τ , or not before a time MM:dd:hh:mm. When price
guarantees are used, the delay must not exceed the validity period of the price guarantee.
This solution only requires the existence of the base station. But on the other hand,
there is no guarantee that the number of profile candidates is high enough. This guarantee
is achieved by using the cardinality observer.
Start of Journey Driven by Cardinality. A delay still bears the risk of re-identification
if the number of candidates µ is still relatively small or even one. In that case, a buyer
b might not want to submit his order until µ reaches a certain threshold t, i.e., there is
a group of µ ≥ t customers that also viewed the products p1 , . . . , pk —maybe beside
others— to be bought by b. Thus, there is a need to measure µ in order to control
the linking probability. For that, we propose two approaches. The first one, described
as perfect counting, is accurate on the size of µ, however, possibly requires higher
transaction costs. The second approach, called partial counting, is based on an estimate
µ ≤ µ by counting only profiles of those customers that ordered some products. Thus,
customers that only viewed the products are not counted. This approach yields almost no
additional transaction costs. Both approaches require a new infrastructure component,
the cardinality observer co. The co counts the number of times specific sets of products
from some vendor have been viewed within distinct sessions. This also ensures that
products are not double counted, for instance, when a customer views a product again
within the same session. Beside its counting facilities, co offers a notification service in
order to inform bs that the desired threshold t for a specific agent has been reached. The
co is trusted to send only honest notifications, i.e., it will not send a notification before t
has been reached. In the following, we assume that both parties playing the roles of bs
and co are distinct and that they are trusted not to collude.
Perfect Counting. In our first approach, a customer b sends messages containing his
profile data —products p1 , . . . , pν he viewed at some vendor v— to bs and forwards
some non-identifying part of this data to co. This forwarded data is protected in a way
that the customer identity remains hidden to co while the content remains hidden to
bs. This can be achieved by a mechanism in which the buyer encrypts this data with
co’s public key in order to hide the products from bs. The sequence of messages takes
the form Eco (rand1 , v, p1 ), . . . , Eco (rand1 , v, pν ), where rand1 is a random number
for linking messages from one customer’s session, and p1 , . . . , pj are the product IDs
contained in web pages viewed by b. These subsequent messages are send automatically
in parallel to b’s search activities. They are sent regardless of b’s decision to buy at v
or not. When b buys some of the products p1 , . . . , pk out of the products p1 , . . . , pν he
viewed, he must send a final message Eco (rand2 , v, p1 , . . . , pk , t) to co that contains
a random number rand2 , the vendor v, the products to be bought p1 , . . . , pk , and b’s
preferences for the minimal size t of candidates regarding these products. Here, rand2
serves as a temporary agent ID for that agent which waits at bs to be released when
the number of candidates has reached t. Of course, the set of candidates is not always
growing. If candidate profiles become too old, they should not be considered anymore.
208 M. Enzmann, T. Kunz, and M. Schneider
In this approach, co essentially learns the same information from the search phase as
the vendor, hence, it has perfect knowledge regarding the vendor’s linking probability.
However, in contrast to the vendor, co is never given b’s name and therefore it cannot
link the obtained profile to b’s identity. Thus, co cannot exploit this data in order to
infringe b’s privacy. Furthermore, bs does not get aware of b’s profile data or b’s order
data. This approach clearly increases transaction costs since IDs of products viewed by
c are transferred to co in order to allow accurate counting.
Partial Counting. In this approach, b does not send his profile data p1 , . . . , pν to co
via bs while he is searching through the vendor site. Instead, he stores his profile data
locally and transfers them to bs together with the agent in case he decides to order some
products p1 , . . . , pk . Of course, both the order data and the profile data are protected
so that bs does not become aware of them. This is achieved by embedding a ciphertext
Eco (v, (p1 , . . . , pk ), (p1 , . . . , pν ), t) into the agent. After the agent has been transferred
to bs, bs extracts this message and forwards it to co together with a bs-chosen agent ID.
This agent ID is necessary in order to notify bs which agent should be released. Also
here, b hides his identity from co.
Using this method, bs must only send one additonal message compared to the ap-
proach with fixed delay where we do not have a co. Compared to the approach for perfect
counting, here the costs for sending messages can be drastically reduced. However, this
approach is possibly less accurate than the former one, since here only customers that
finally ordered some products are considered by co instead of the possibly larger set
of customers which viewed these products. Hence, when a customer orders p1 , . . . , pk ,
then co will notify the corresponding agent to start its journey when the condition µ ≥ t
becomes true, where µ is the number of customers that also ordered p1 , . . . , pk —
potentially beside other products. Clearly, µ ≤ µ, where µ is the number of profiles
containing p1 , . . . , pk which were recorded by the vendor. This means that agents will be
delayed longer than necessary because the threshold t might have already been crossed
since non-buying customers are ignored. Also here, the number of relevant candidates
µ may be reduced when profiles should not be considered anymore.
be advantageous, e.g., in cases when an order for vendor si should only be ordered if
products at sj , to be visited before, are available. Furthermore, this possibility reduces
the number of mobile agents migrating through the network. Concerning the order in-
formation transfered by the agent, there arise no privacy problems since this information
can only be opened by the desired vendor because of asymmetric encryption.
One could argue that with longer routes vendors learn which other hosts have to be
visited on the shopping tour which gives some further insight into the buyers behaviour
or interests. But this threat can be tackled with the route protection scheme presented
in expression (1). With this solution, a vendor only learns about his predecessor and
successor in the shopping tour. If a buyer does not like that a vendor gets aware of other
shops that could be predecessor or successor then the buyer could create the agent route
r̃ with intermediate bs. This increases the number of migration steps on the agent’s
journey but allows the buyer to enhance his privacy.
In the case of dependent agent computations —e.g., when order delivery at si de-
pends on computation results at sj — results have to be communicated from one vendor
to another. If one is immediately following the other then the exchange of the required
results can be done directly —provided that the buyer is willing to reveal these shopping
tour stations to the vendors. If the buyer decides to hide the vendor identity from other
vendors by agent exchange via bs, then the results can be encrypted for bs which de-
crypts and re-encrypts them for the vendor that requires these results. By applying such
concepts, it can be achieved that a vendor will not get aware of what b is ordering at other
vendors as far as the vendors are not colluding and exchange their trading information.
7 Architecture
In the following, we will sketch the architecture including the infrastructure components
that are needed for our solution. Figure 1 depicts the basic components which are required
in our system. The customer uses a simple web browser and the Customer Local Agent
Station (CLAS) which is a specific component of our solution. The vendor runs a usual
web server and a Vendor Agent Station (VAS). Additionally, there is the Mobile Agent
Base Station (MABS) which is provided by a third party that offers mobile agent services
to customers. And finally, we have the Cardinality Observer (CO) operated by another
third party.
The customer is running two applications: a browser and a CLAS. The CLAS component
is independent of a specific vendor. The CLAS software is provided by a party that
is trusted to not have embedded a Trojan horse in it. The CLAS comprises several
functionalities: (1) a client-side proxy, (2) a Product Selector (PS) from which products
can be put into a trolley-like agent, (3) a Mobile Agent Generation (MAG) component
like an agent workbench, and (4) a client to use the services of the MABS.
When the customer browses through the vendor catalog all requests are first sent
to the CLAS (figure 2, message 1) which forwards them to the vendor system (figure
2, message 2). The corresponding vendor response is received by the CLAS (figure 2,
210 M. Enzmann, T. Kunz, and M. Schneider
Shop
Mobile Agent
Base Station Vendor
Agent
Station
message 3). Message 3 consists of a part destined to the CLAS and another part destined
to the browser. After having extracted his own part, the CLAS forwards the remaining
message part to the browser (figure 2, message 4). The browser message part consists of
normal web page content, e.g., displaying products with some additional information.
The CLAS message part consists of the product identifiers for the same products which
are displayed at the same time by the browser. These identifiers are displayed by the
PS subcomponent. In contrast to normal scenarios, when the customer decides to buy
a product, he does not put it in some virtual trolley by clicking in the browser window.
The browser window is just used to get product information and to navigate through the
catalog. Instead, he takes the product ID from the PS and transfers it to the MAG. On
this agent workbench, the customer composes the agent in the desired manner, i.e., he
has to select the appropriate agent from the set of potential candidates. Then, he has to
create the input data while respecting the constraints which exist on the shopping tour,
e.g., buy at shop B only if the order at shop A can be fulfilled. Such constraints influence
the order of hosts to be visited, and thus, have to be considered when the agent route is
composed. After having selected an appropriate order of shops, the CLAS re-arranges
the sequence of the selected products as described in subsection 6.3, and then the MAG
automatically creates a route according to equation (1).
The CLAS is also responsible for the creation of profile messages which are destined
for the CO. In case of perfect counting, it also sends them to the MABS. In case of partial
counting, it embeds them into the agent.
After having finished the shopping tour, the buyer transfers the agent to the MABS
(figure 2, message 5). Then, he can also give some additional instructions, such as the
agent release delay, and the threshold.
the MABS receives the notification message from the CO, and the MABS has to map the
notification to the correct agent. When any condition for the agent release is satisfied,
the MABS lets the agent start its journey. When the agent returns to the MABS after its
journey, it is stored in a personal inbox which is only accessible by the corresponding
buyer. After the receipt of the agent, the MABS can inform the buyer that the agent
has returned and can now be picked up. Then, the buyer can connect to the MABS and
download the agent in order to verify the results of its journey. Therefore, the MAG also
comprises the necessary functionality for decrypting the data which were encrypted for
the customer by the visited vendors.
for the interaction with the customer agents generated by the customer, i.e., basic agent
execution facilities and required security mechanisms as previously explained. Further-
more, the vendor has to provide messages that consist of a CLAS part and a browser
part. Whenever a customer requests product information of potentially ordered goods by
using mobile agents, the vendor’s web server responds with adequate messages which
can be processed by the CLAS.
By using the CLAS for selecting the product to be ordered in the proposed way,
we can be sure that no hidden channel is established to the vendor. Hidden channels
could be possible when a buyer selects a product directly from a browser. Such a hidden
channel would increase the linking probability by reducing the set of candidates to those
parties that really selected the corresponding products. But our solution deals with a set
of potential candidates containing all those parties that only viewed or finally decided
to buy the product.
8 Related Work
Other work done in the area of privacy protection also focusing on the prevention of ex-
ploiting server log files can be found in anonymity literature, e.g., see [8,9,12]. Typically,
in anonymity the goal is on sender anonymity, receiver anonymity, and unlinkability of
sender and receiver. There, the focus is not on the question on how to avoid linkability
of subsequent messages exchanged between a customer and a web server. Since we are
dealing with applications in which the buyer reveals his identity in some phase of the
business relationship, we require this unlinkability of messages exchanged in distinct
phases. Most of the work done so far (e.g., [2,11]) was dealing with online selling.
There, the focus for privacy protection has exclusively been on the trade of intangible
goods where anonymity networks can be used without problems. This means that no
real identity and physical address have to be revealed.
Other work dealing with privacy protection concerning gathering information on
customer activities in business processes was presented in [1,5]. There, they deal with
privacy protection in customization and targeting.
We have presented a solution which allows a buyer of tangible goods to enhance his
privacy. Our solution applies mobile agents and a new infrastructure in order to prevent a
vendor from linking information gathered in the search and order phase of the business
process. For the vendor, the linking of these activities is a random experiment. The
success probability of this experiment depends on the number of customers that have
viewed the corresponding products. The proposed system and the new infrastructure
components allow the introduction of distinct variants like agent delay and cardinality
control which both have advantageous effects on the linking probability. Furthermore,
we have considered the case of shopping tours in which an agent delivers orders to
several vendors. The proposed solution can be implemented in existing electronic shops
where tangible goods are sold in order to enhance the privacy of the buyer.
A New Infrastructure for User Tracking Prevention and Privacy Protection 213
References
1. Robert M. Arlein, Ben Jai, Markus Jakobsson, Fabian Monrose, and Michael K. Reiter.
Privacy-preserving global customization (extended abstract). In Proceedings of the 2nd ACM
conference on Electronic Commerce (EC’00), October 2000.
2. Feng Bao and Robert Deng. Privacy protection for transactions of digital goods. In Information
and Communications Security (ICICS 2001), Third International Conference, Proceedings,
number 2229 in LNCS. Springer Verlag, November 2001.
3. Roger Clarke. Internet privacy concerns confirm the case for intervention. Communications
of the ACM, 42(2), February 1999.
4. Donna L. Hoffman, Thomas P. Novak, and Marcos Peralta. Building consumer trust online.
Communications of the ACM, 42(4), April 1999.
5. Ari Juels. Targeted advertising ... and privacy too. In Progress in Cryptology — CT-RSA 2001,
The Cryptographers’ Track at RSA Conference 2001 San Francisco, Proceedings, number
2020 in LNCS. Springer Verlag, 2001.
6. D. Kristol and L. Montulli. HTTP State Management Mechanism. RFC 2109, February 1997.
7. Danny B. Lange and Mitsuru Oshima. Programming and Deploying Java Mobile Agents with
Aglets. Addison-Wesley, 1998.
8. Michael G. Reed, Paul F. Syverson, and David M. Goldschlag. Proxies for anonymous routing.
In Proceedings of 12th Annual Computer Security Applications Conference (ACSAC’96).
IEEE Press, December 1996.
9. Michael K. Reiter and Aviel D. Rubin. Crowds: Anonymity for web transactions. ACM
Transactions on Information and System Security, 1(1), 1998.
10. Ron L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signa-
tures and public-key cryptosystems. Communications of the ACM, 21(2), February 1978.
11. Stuart G. Stubblebine, Paul F. Syverson, and David M. Goldschlag. Unlinkable serial trans-
actions: Protocols and applications. ACM Transactions on Information and System Security,
2(4), 1999.
12. Paul F. Syverson, Michael G. Reed, and David M. Goldschlag. Private web browsing. Journal
of Computer Security — Special Issue on Web Security, 5(3), 1997.
13. Huaiqing Wang, Matthew K.O. Lee, and Chen Wang. Consumer privacy concerns about
internet marketing. Communications of the ACM, 41(3), March 1998.
14. Dirk Westhoff, Markus Schneider, Claus Unger, and Firoz Kaderali. Protecting a mobile
agent’s route against collusions. In Selected Areas in Cryptography, 6th Annual International
Workshop (SAC’99), number 1758 in LNCS. Springer Verlag, 2000.
Different Smartcard-Based Approaches to
Physical Access Control
1 Introduction
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 214–226, 2002.
c Springer-Verlag Berlin Heidelberg 2002
Different Smartcard-Based Approaches to Physical Access Control 215
3 Smart Cards
As stated in the introduction of this paper, one of the most important compo-
nents we have used to design our system are TICAs –presented in the previous
section– which use smart cards readers to access the information contained in
the smart cards [FPMY98] owned by final users.
Regarding smart cards, we have designed and implemented the system with
Java Cards [mic00b,mic00c] and full-RSA (with a 1024 bits RSA on-board im-
plemented algorithm) smart cards, acting as RSA cryptographic devices and as
user private information repositories, containing private keys, certificates, per-
sonal identification numbers, and authorization information.
Smart cards are, by definition, electronic devices similar to credit cards except
they contain a microprocessor chip that can run programs and store data with a
high level of security. This protection is mainly based on the physical protection
provided by the smart card owner (who normally stores it in his own wallet) and
certain security levels managed by the microprocessor.
This security is defined to protect the information itself and to protect the
communication with the outside world. For this last case, the RSA (normal and
Java Card) microprocessor cards we have used to develop this architecture are
Different Smartcard-Based Approaches to Physical Access Control 217
able, using on-board software stored in ROM memory, to run symmetric (shared
keys between sender and receiver) cryptographic algorithms such as DES an 3-
DES and thus authenticate its communication with any device sharing the same
keys, as it can be the case of external SAM (Secure Access Module) devices
[FPMY98]. This security level is complementary to the PIN-based security access
level normally used to protect the specific information contained in the smart
card, as the user private key or the personal identification number.
It is also very important to remark that this kind of RSA smart cards we
are using has an on-board key generation system and then the user is able to
generate and use his private keys (to sign or decrypt messages), but unable to
export these private keys to the outside world in any way. This is quite important,
to avoid the creation of any weak point in the whole centralized and distributed
physical access control systems we have designed and implemented.
In the case of Java Cards, that is, smart cards that can manage and run
Java applications stored in its own memory, the security level remains the same,
with symmetric algorithms for external communications, PIN codes to protect
the internal data, and on-board private key generation (unable to be exported in
any case). The advantage of this kind of smart cards is based on the possibility
of using different Java Card applets [mic00a] to manage properly the SPKI
credentials associated to different application environments.
4 A Centralized Solution
In this section, we are going to present the centralized system which has been
used as the starting point to design our decentralized solution. This system is
similar to other commercial products existing today, and the point of describing
this widely and deployed solution is to present some drawbacks which can be
overcome using a different approach. However, it is being successfully used in
many scenarios (including our University, where about one hundred TICAs are
being used for access control purposes to laboratories, buildings, and car parks),
and it addresses the main issues concerning the access control problem.
Key Distribution is performed using unique identifiers. Each user has a unique
identifier which is stored into his smartcard. The central database contains one
table for every installed TICA. These tables are formed by different records
which specify the unique identifiers of the authorized users, the set of permis-
sions assigned to the identifier, and some additional data. When a new user is
authorized to perform a specific action with a particular TICA, a new record
has to be inserted in the related table.
Key Revocation is very straightforward. If the authorization manager wants
to revoke some permissions previously granted to a specific user for a particular
TICA, all he has to do is to delete the records of the identifier involved from the
database tables.
Roles are not considered. This solution binds permissions to users directly.
The introduction of roles might provide the ability of establishing independent
relations between users and roles, and between roles and permissions.
218 Ó. Cánovas et al.
The principal guidelines of this type of access control management are shown
in Figure 1. During an initial registration phase, the user obtains her smartcard
and his unique identifier. He can also request to have access to some specific
building or department. Depending on the particular access control policy, the
manager might include a record in the database table related with the TICA
controlling the requested access. Then, the user inserts her smartcard into the
TICA and he requests an specific action (open the door, start working, etc.).
Finally, the TICA makes a query to the central database asking whether or not
to grant the action.
The client application that has been placed in the TICA devices has been
fully developed in Java. It runs in the SBC board and communicates with the
interface board by way of a serial port. Although the application requires being
on-line in order to query the application servers, it is designed to be fault tolerant,
including the possibility of maintaining a local copy of the authorization-related
information in case of a network failure in order to keep on working. Furthermore,
it keeps a transactions cache and can be synchronized with a NTP (Network
Time Protocol) server, which is important to obtain time-consistent records. It
makes use of the following technologies:
time a new TICA device is connected to the network, its manager has to gen-
erate a private key for the device and to request its corresponding certificate
to the certification authority of the existing PKI.
Although the above presented solution has been successfully used, and it
solves most of the common problems about access control, it has some drawbacks
that can be fixed following a different approach.
Example application. In this section, we are going to show the elements in-
volved in a particular delegation chain. First we have the following authorization
certificate issued by tica1. This certificate gives full authority to AA1 over the
tica1 located in the section1, and the permission to further delegate it.
Then, AA1 has two alternatives. First, it might issue another (short lived)
authorization certificate to a specific final user U1.
The second option is issuing an attribute certificate for the R1 role members
defined by NA1.
NA1 issues (short lived) ID certificates for the different members of roles
defined by itself. One of those certificates is the following one.
When the user U1 inserts his smartcard into the tica1, and he requests the
door to be opened, the following signed statement is generated (where time-
stamp represents the current instant).
Now, tica1 can use some of the available certificate chain discovery meth-
ods [Eli98] in order to determine whether a delegation path authorizing such a
request exists. In this particular example, the certificates above presented will
authorize the action if it is performed during the specified validity ranges.
There are two main applications that have been implemented. First, we have
an application that is able to generate SPKI certificates and to store them in
smartcards. The other application is the software installed in the TICA devices.
Both implementations are based on CDSA (Common Data Security Archi-
tecture) [Cor01]. CDSA is a set of layered security services that provide the in-
frastructure for scalable, extendible and interoperable security solutions. These
security services are performed by add-in security modules. The five basic service
categories are: Cryptographic Service Providers (CSPs), Trust Policy Modules
(TPs), Certificate Library Modules (CLs), Data Storage Library Modules (DLs),
and Authorization Computation Modules (ACs). We used the Intel version 3.14
Different Smartcard-Based Approaches to Physical Access Control 225
6 Conclusions
In this paper, we have presented two different physical access control systems
making use of special devices (TICAs) and RSA smart cards. As we have ex-
plained, those devices and this kind of smartcards can be used to implement ac-
cess control using different approaches, ranging from secure queries to a central
database, to a distributed offline system making use of authorization certificates.
We think that our decentralized solution provides some additional mechanisms
in relation to the centralized one, such as non-repudiation, better scalability,
and suitability for offline environments. To the best of our knowledge, there is
no similar RBAC and SPKI-based proposal for physical access control environ-
ments.
References
[AFK96] A. O. Alan, P. Freier, and P. C. Kocher. The SSL Protocol Version 3.0,
1996. Internet Draft.
[Aur98] T. Aura. On the structure of delegation networks. In Proc. 11th IEEE
Computer Security Foundations Workshop, pages 14–26, MA USA, June
1998. IEEE Computer Society Press.
[BFIK99] M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis. The role of
trust management in distributed systems security. In Secure Internet
Programming: Security Issues for Distributed and Mobile Objects, volume
1603 of LNCS, pages 185–210. Springer, 1999.
[CDFR98] J. Callas, L. Donnerhacke, H. Finney, and R.Thayer. OpenPGP Message
Format, 1998. Request For Comments (RFC) 2440.
[CG02] O. Canovas and A. F. Gomez. A Distributed Credential Management
System for SPKI-Based Delegation Systems. In Proceedings of 1st Annual
PKI Research Workshop, Gaithersburg MD, USA, April 2002.
[Cor01] Intel Corporation. Common Data Security Architecture (CDSA). World
Wide Web, http://developer.intel.com/ial/security, 2001.
226 Ó. Cánovas et al.
1 Introduction
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 227–245, 2002.
c Springer-Verlag Berlin Heidelberg 2002
228 S. Gürgens, P. Ochsenschläger, and C. Rudolph
sary properties, thus proving that the protocol itself provides authenticity and
proof of authenticity.
the set of all sequences that look exactly the same from P ’s local view after ω
has happened. But depending on his knowledge about the system S and un-
derlying security mechanisms and system assumptions, P does not consider all
sequences in this set possible. Thus he can use his knowledge to reduce this set:
λ−1
P,Σ (λP,Σ (ω)) ∩ WP describes all sequences of actions P considers to be possible
when ω has happened.
In this paper we use systems S ⊆ Σ ∗ and S ⊆ (Σ )∗ on two specific ab-
straction levels to illustrate our approach. We will refer to these levels as to “the
high level” and “the low level” of abstraction. Accordingly, we use WP and λP
whenever we are refering to a general system S and WP and λP when we want to
differentiate between agents’ knowledge about the respective systems and their
local views on the systems on the two different abstraction levels.
In this section we formally define the security properties authenticity and proof
of authenticity and then give sufficient conditions on language homomorphism
to preserve these properties from higher to lower levels of abstraction.
A set of actions Γ is authentic for agent P if in all sequences that P considers
possible after a sequence of actions has happened, some time in the past an
action in Γ must have happened. One (or more) of the actions of ω performed
by P is responsible for Γ being authentic for P. This can be, for example, that
P receives an offer. If then all sequences of actions he considers possible contain
a send offer action performed by Q, then the set of actions where Q sends an
offer is authentic for P. Our notion of authenticity defers from others in that we
define authenticity relative to what an agent considers possible, while usually
authenticity is defined taking a global view of the system (see e.g. [12]).
In the following let S ⊆ Σ ∗ be a prefix closed language describing the be-
haviour of a system and let P be a set of agents.
232 S. Gürgens, P. Ochsenschläger, and C. Rudolph
Some actions do not only require authenticity but also need to provide a proof
of authenticity. If agent P owns a proof of authenticity for a set Γ of actions, he
can send this proof to other agents, which in turn can receive the proof and then
own it. In the following definition the set Γ P denotes actions that provide agents
with proofs about the authenticity of Γ . If agent P has executed an action from
Γ P then Γ is authentic for P and P can forward the proof to any other agent
using actions in Γ S .
In this section the security properties defined above are demonstrated in the first
step of a typical e-commerce situation, namely the price offer/request protocol
already introduced in Section 2.1. As sending and receiving of the price request
may not be relevant for the security of the transaction, we only consider the
situation in which service providers make offers to clients. We assume that every
agent P ∈ P can act as client and receive offers, while service providers are in
the set SP ⊆ P. For simplicity we do not explicitly specify prices and services.
We write PRO to denote the price offer example. Since we specify the system
on a high abstraction level, alphabet, system, etc., will be denoted by Σ , SP RO ,
etc., in contrast to alphabet Σ, system SP RO etc. on the low abstraction level.
To formalize the security property that each client can prove the authenticity
of an offer received on a most abstract level, we have to consider the following
actions:
Now, in our framework we have to consider each agent’s knowledge WP about
the possible sequences of actions. To formalize proof of authenticity of offers, each
agent has to know that a proof can only be received if a corresponding offer has
been sent before, and that a proof can only be sent if it has been received before.
So for P ∈ P, let
Authenticity and Provability – A Formal Framework 235
WP = Σ ∗ \ SP ∈SP,Q∈P (Σ \ {OFFER-SSP })∗ {PROOF-RQ (SP )}Σ ∗ ∪
(Σ \ {PROOF-RQ })∗ {PROOF-SQ (SP )}Σ ∗
By this definition all WP are equal and we consider the abstract system
behaviour SP RO = WP for each P ∈ P.
Property 1 For each SP ∈ SP, ({PROOF-SP (SP )|P ∈ P}, {PROOF-RP (SP )|
P ∈ P}) is a proof action pair of authenticity for {OFFER-SSP } with respect to
(WP )P ∈P .
Proof:
Condition 1: Let ω ∈ SP RO with alph(πP (ω)) ∩ {PROOF-RP (SP )|P ∈ P} = ∅.
Hence we have PROOF-RP (SP ) ∈ alph(ω) which implies PROOF-RP (SP ) ∈
−1
alph(x) for each x ∈ λ P (λP (ω)). By the definition of WP , it follows that
−1
OFFER-SP (SP ) ∈ alph(x) for each x ∈ λ P (λP (ω)) ∩ WP .
Condition 2: In particular, for x = ω, we have PROOF-RP (SP ) ∈ alph(ω) and
OFFER-SP (SP ) ∈ alph(ω). Hence ωPROOF-SP (SP )PROOF-RR (SP ) ∈ SP RO
for each R ∈ P because none of these action sequences violates the restrictions
defining SP RO .
On the lower abstraction level, we model a system of protocol agents using Asyn-
chronous Product Automata (APA). APA are a universal and very flexible oper-
ational description concept for cooperating systems [10]. It “naturally” emerges
from formal language theory [9]. APA are supported by the SH-verification tool
that provides components for the complete cycle from formal specification to
exhaustive verification [10].
An APA can be seen as a family of elementary automata. The set of all
possible states of the whole APA is structured as a product set; each state is
divided into state components. In the following the set of all possible states is
236 S. Gürgens, P. Ochsenschläger, and C. Rudolph
called state set. The state sets of elementary automata consist of components of
the state set of the APA. Different elementary automata are “glued” by shared
components of their state sets. Elementary automata can “communicate” by
changing shared state components.
Figure 1 (see Section 4.2) shows a graphical representation of the APA for a
system of two protocol agents A and B. The figure shows the structure of the
automaton. The circles represent state components and a box corresponds to one
elementary automaton. The full specification of theAPA includes the transition
relations of the elementary automata and the initial state. The neighbourhood
relation N (indicated by arcs) determines which state components are included
in the state of an elementary automaton and may be accessed and changed by
one of its state transitions. For example, a state transition of automaton SendA
may change the content of Network and StateA , while InternalA may change
StateA but cannot access Network.
ChannelsA ChannelsB
RecA RecB
StateA StateB
InternalA InternalB
Network
SendA SendB
ApplA ApplB
ApplMemA ApplMemB
(see below). InternalP is used for P ’s internal actions. The state component
StateP serves as the agent’s internal memory which can be used to perform
checks during the run of the protocol and ChannelP holds the channels P is able
to send on and to receive from, respectively. For the sake of brevity, we omit the
formal definition of the state sets and refer the reader to [6].
In addition to the graphical representation specifying elementary automata,
state components and neighbourhood relationship, for the specification of an
APA the following parts have to be specified.
State sets. For each state component C ∈ S its state set ZC has to be defined.
In the protocol model, the state of a state component is a multiset. Therefore,
state sets are sets of multisets. For each state component C ∈ S a set MC has
to be specified such that the state set ZC is defined as the set of all multisets of
MC .
State transition relation. For the definition of the state transition relation we
use so-called state transition patterns (because of space restrictions we omit the
formal definition). In Section 5 we show how they are employed.
An authentication channel has the property that only one agent can send
and all agents can receive messages on this channel (provided they dispose of
it). If agent P receives a message on Q’s authentication channel, a matching
send event must have happened before in all sequences that P considers to be
possible.
5.1 Specification
Initial state. For agents P, SP ∈ P the initial state of the system is defined by
ChannelsP (s0 ) = {((P roof, SP ), rec)} and ChannelsSP (s0 ) = {((P roof, SP ),
send)}. If P = SP , then ChannelsP includes both channel tupels. The state
component Network and all other state components StateP and ApplMemP of
agents P ∈ P are empty.
Protocol steps. We use so-called transition patterns to specify the protocol steps.
For the definition of the state transition relation of an elementary automaton
e ∈ E, we need to specify the properties of all states of components C ∈ N (e)
where e is active, i.e. can perform a state transition, and the changes of the states
caused by the state transition. In the transition pattern notation the statements
e
before → constitute the prerequisites of e to perform a state transition and the
e
statements behind → describe the changes of the state.
The name of this pattern is Step 1 and
• Step 1 ()
there are no variables.
Elementary automaton ApplP starts
ApplP
→ the protocol by adding (send,
(send, price req) .→ ApplMemP price req) to the state component
ApplMemP (denoted by .→).
• Step 2 ()
If (send, price req) is contained in the
(send, price req) ∈ ApplMemP state of ApplMemP , elementary au-
SendP
→ tomaton SendP may send a price re-
quest.
240 S. Gürgens, P. Ochsenschläger, and C. Rudolph
We assume that the user does not request the price from a particular ser-
vice provider, so that the message does not include any address.
The transition patterns Step 1, Step 2 ,. . . , Step 7, Proof Send and Proof
Rec define a set of state transitions which constitute a system SP RO ⊆ Σ ∗
without any malicious behaviour. Here Σ is the set of all defined state tran-
sitions in the APA protocol model described in Section 4.2. We now consider
sets S ⊆ Σ ∗ including not explicitly specified malicious behaviour. It is assumed
that SP RO ⊆ S. The structure of the APA model implies implicit assumptions
on what agents cannot do. Most important is the following assumption: The
neighborhood relationship between elementary automata and state components
implies that no agent can read or change the state of other agents’ internal state
components ChannelsP , StateP and ApplMemP .
As the next step we want to establish a relation between the abstract system
SP RO specified in Section 3 and all systems S with SP RO ⊆ S ⊆ Σ ∗ . Therefore
we specify a homomorphism from Σ ∗ to Σ ∗ and show that it preserves authen-
ticity and proofs in accordance with Definition 3 and Definition 4, respectively. S
includes malicious behaviour and is restricted by the knowledge of agents about
the security mechanisms used in the system. For each agent P , this knowledge
is described by the set WP . Therefore we assume S ⊆ WP for all P ∈ P.
The first assumption about the knowledge of P ∈ P concerns the proof chan-
nel of SP ∈ SP.
The property that every agent P ∈ P can give proof of authenticity requires
that all agents keep the proofs in their respective State component. If an agent
deletes proofs he cannot give proof anymore. Notice that no other agent but P
itself can change StateP .
(s, (e, a, var), s̄) denotes a state transition of elementary automaton e with
a ∈ φe (the alphabet of e) and the list of interpretations of variables var.
Proof: We show that for every sequence ω ∈ (Σ )∗ that is not in WP all
sequences in the inverse images h−1 (ω) violate the properties of the proof channel
and consequently
are not in WP . ω ∈WP implies
ω ∈ SP ∈SP,Q∈P (Σ \ {OFFER-SSP })∗ {PROOF-RQ (SP )}Σ ∗
∪(Σ \ {PROOF-RQ })∗ {PROOF-SQ (SP )}Σ ∗
By definition of h and Definition 8 follows that each state transition sequence
in h−1 (ω) violates the properties of (Proof,SP), thus is not element of WP . This
is a contradiction to Assumption 1 and it follows that h(WP ) ⊆ WP . ✷
By induction over the sequences of state transitions in SP RO it can be shown
that
in Section 2.2, the agents’ local view of the abstract system is given by πP :
∗
Σ → Σ ∗ /P with πP (x) = x if x ∈ Σ /P and πP (x) = ε if x ∈ Σ \ Σ /P , i.e
λP = πP .
The following gives a general definition of the agents’ local view in a system
modelled by APA.
(ii) a ∈ Γ S SP ∩ Σ/P implies that ((proof, SP, m), broadcast) ∈ Network after
ωa has happened. Therefore, a state transition b ∈ Σ in accordance with
transition pattern Proof Rec is possible, hence ω −1 (S)∩(h−1 (Γ P SP )∩Σ/R ) =
∅.
This shows that ω can be continued in S with appropriate Proof Send and
Proof Receive actions.
Condition 2 Holds by definition of h. ✷
6 Conclusions
In this paper we have presented a methodology for the specification of e-
commerce transactions on different levels of abstraction, providing certain se-
curity properties. Based on a formal framework for binding cooperations we
have defined the concepts of authenticity and proof of authenticity, using the
notions of formal languages and language homomorphisms. The universality of
the definitions allows to apply them to any specification language with a se-
mantics based on labeled transition systems. We have formulated conditions on
homomorphisms under which they preserve these properties from a higher to a
lower abstraction level, thus serving as a means of refinement. This is in line
with our general approach for verification of communicating systems where ar-
bitrary safety and liveness properties of abstract specifications are transfered to
more concrete ones by means of so-called simple language homomorphisms [10,
9]. For the specification on a lower abstraction level, we have used Asynchronous
Product Automata (APA), a general class of communicating automata. Suitable
homomorphisms map an APA specification onto a more abstract specification
and transfer authenticity and proofs from the higher to the lower abstraction
level.
Our approach is related to a range of work concerning authentication and
proof (see, for example, [12], [13] and [7]). However, these papers are concerned
with the analysis of security protocols. To the best of our knowledge, there is
no approach that formally defines a proof of authenticity and provides a design
methodology. Moreover, our approach is equally useful for the continuation of
the design process where the protocol specification is transfered to the next level
of refinement by introducing cryptographic mechanisms. This is subject of future
work.
Authenticity and Provability – A Formal Framework 245
References
1. C. Boyd. A Framework for Design of Key Establishment Protocols. Lecture Notes
in Computer Science, 1172:146–157, 1996.
2. C. Boyd and W. Mao. Design and analysis of key exchange protocols via secure
channel identification. In J.Pieprzyk and R. Safavi-Naini, editors, ASIACRYPT
‘94, volume 917 of Lecture Notes in Computer Science, pages 171–181. Springer,
1994.
3. E.M. Clarke, S. Jha, and W. Marrero. A machine checkable logic of knowledge for
specifying security properties of electronic commerce protocols. In LICS Security
Workshop, 1998.
4. S. Eilenberg. Automata, Languages and Machines. Academic Press, New York,
1974.
5. R. Grimm and P. Ochsenschläger. Binding Cooperation, A Formal Model for
Electronic Commerce. Computer Networks, 37:171–193, 2001.
6. S. Gürgens, P. Ochsenschläger, and C. Rudolph. Authenticity and Provability - a
Formal Framework. GMD Report 150, GMD – Forschungszentrum Information-
stechnik GmbH, 2001.
7. R. Kailar. Accountability in Electronic Commerce Protocols. IEEE Transactions
on Software Engineering, 22(5):313–328, 1996.
8. U. M. Maurer and P. E. Schmid. A Calculus for Secure Channel Establishment
in Open Networks. In D. Gollmann, editor, Computer Security – ESORICS 94,
volume 875 of LNCS, pages 175 – 192. Springer, 1994.
9. P. Ochsenschläger, J. Repp, and R. Rieke. Abstraction and composition – a verifi-
cation method for co-operating systems. Journal of Experimental and Theoretical
Artificial Intelligence, 12:447–459, 2000.
10. P. Ochsenschläger, J. Repp, R. Rieke, and U. Nitsche. The SH-Verification Tool –
Abstraction-Based Verification of Co-operating Systems. Formal Aspects of Com-
puting, The Int. Journal of Formal Methods, 11:1–24, 1999.
11. C. Rudolph. A Model for Secure Protocols and its Application to Systematic Design
of Cryptographic Protocols. PhD thesis, Queensland University of Technology, 2001.
12. S. Schneider. Security Properties and CSP. In Symposion on Security and Privacy.
IEEE, 1996.
13. P. Syverson and C. Meadows. A Logical Language for Specifying Cryptographic
Protocol Requirements. In Proceedings of the 1993 IEEE Computer Society Sym-
posium on Security and Privacy, pages 165–177. IEEE Computer Society Press,
New York, 1993.
Protocol Engineering Applied to Formal Analysis of
Security Systems
1 Introduction
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 246–259, 2002.
© Springer-Verlag Berlin Heidelberg 2002
Protocol Engineering Applied to Formal Analysis of Security Systems 247
can perform the attacks [6]. His possible actions are killing, sniffing, intercepting,
redirect, delaying, delivering, reordering, replaying, and faking of messages.
Currently, secrecy and authentication [17] are the security properties more widely
analyzed. By analyzing secrecy we prevent the intruder from being able to derive the
plaintext of messages passing between honest nodes. Our analysis consists of
checking if the secret item can be deduced from the protocol messages and the
intruder’s database knowledge.
For an authentication protocol to be correct, it is required that a user Bob does not
finish the protocol believing that it has been running with a user Alice unless Alice
also believes that she has been running the protocol with Bob. Our analysis consists of
checking if there is a reachable state where Bob has finished correctly and Alice will
never reach her final state.
The paper is structured in the following way. In section 2 we summarize SDL
features and tools. In section 3 we explain how SDL can be used to specify security
protocols and cryptographic operations. At the same time we show how security
protocols can be modeled as safety properties and checked automatically by a model-
based verification tool. Section 4 shows an example of how our methodology is
applied to EKE protocol. The last section contains conclusions and future work.
2 SDL Language
Validator tool for verification purposes. Indeed, we are going to take advantage of its
exploration algorithms and its check mechanism.
The SDL Validator [7] is based on state space exploration. State space exploration is
based on automatic generation of reachable states of systems. The reachable state
space of a system or application comprises all possible states it can assume, and all
possible ways it can be executed. A reachability graph is one way to conceptually
view reachable state space, though one rarely computes it since it is too large for
realistic applications.
In addition, a reachability graph represents the complete behavior of an application.
The nodes of the graph represent SDL system states, and it contains all necessary
information to describe the application state. For an SDL system, the complete
description of the application states includes the flow state of all concurrent processes,
the value of all the variables, procedure call stacks, activated timers, signals in
transmission and their parameter values, and so on.
The edges of the reachability graph represent SDL events that can take the SDL
system from one system state to the next system state. The edges define the atomic
events of the SDL system. These can be SDL statements like assignments, inputs and
outputs, or complete SDL transitions depending on how the state space exploration is
configured.
The state space can be explored using following algorithms: random walks,
exhaustive exploration, bit-state exploration, and interactive simulation. The random
walk algorithm randomly traverses the state space. Each time when several possible
transitions are available, the SDL Validator chooses one of them and executes it. The
random walk algorithm is useful as an initial attempt for robustness testing of an
application and if the state space is too large even for a partitioned bit state search.
The exhaustive exploration algorithm is a straightforward search through the
reachability graph. Each system state encountered is stored in RAM. Whenever a new
system state is generated, the algorithm compares it with previously generated states
to check if the new one was reached already during the search. If so, the search
continues with the successor state. If the new state is the same as a previously
generated state in RAM, the current path is pruned, and the search backs up to try
other alternatives. The exhaustive exploration algorithm requires a lot of RAM, which
limits its practical application.
The algorithm called bit state exploration can be used to efficiently validate
reasonably large SDL systems. It uses a data structure called “hash table” to represent
the system states that are generated during the exploration. When we want to analyze
a particular situation, we use the interactive simulation. We guide state exploration to
the goal scenario, and then we check for analysis results.
Protocol Engineering Applied to Formal Analysis of Security Systems 249
The Validator has several ways to check an SDL specification. These are essentially
scenario verification and observer process. In order to obtain scenario specifications
we use the Message Sequence Chart (MSC) [8] language (Recommendation ITU-T
Z.120). We can verify a MSC by checking if there is a possible execution path for the
SDL system that satisfies the MSC, or by checking MSC violation. This is achieved
by loading MSC and performing a state space exploration set up in a way suitable for
verifying MSCs. The MSC verification algorithm is a bit state exploration that is
adapted to suit the needs of MSC verification.
The more powerful way to check a SDL specification is the observer process
mechanism. The purpose of an observer process is to make it possible to check more
complex requirements on the SDL system than can be expressed using MSCs. The
basic idea is to use SDL processes (called “observer processes”) to describe the
requirements that are to be tested and then include these processes in the SDL system.
Typical application areas include feature interaction analysis and safety-critical
systems.
By defining processes to be observer processes, the Validator will start to execute
in a two-step fashion. First, the rest of the SDL system will execute one transition,
and then all observer processes will execute one transition and check the new system
state.
The assert mechanism enables the observer processes to generate reports during
state space exploration. These reports will be included in the list of generated reports
in the Report Viewer.
3 Analysis Mechanism
Our approach (depicted in figure 1) performs the design and analysis of a security
protocol in the same way as the design and analysis of a traditional communication
protocol. Firstly, we define system requirements. These are specified in the Security
Requirements Specification Language (SRSL), which has been designed to define the
security features and analysis strategy. Next we translate the system requirements into
an SDL system in a semi-automatically manner, and analyze it. Furthermore it can be
applied for code generation and testing, such as traditional communication protocol.
The aim of the SRSL is to define a high level language in order to specify
cryptographic protocols and secure systems. This language must be modular to
achieve reusability, it must be easy to learn, and has to use security concepts. The
SRSL is divided into three parts; the first of which is the specification of protocol
elements, the second one is message exchange flow, and the third comprises the
security analysis strategies.
The essential elements required to define a security protocol can be divided into
several categories. These are explained as follows (keywords in cursive):
− Entities: Agent (Initiator/Responder), principal identification; Server_Key,
provides a key; Server_Time, provides time token; Notary, registers the
transaction; Server Certification Authority (SCA), validates a certificate.
250 J. Lopez, J.J. Ortega, and J.M. Troya
− Message: Text, clear text; Random Number, for freshness purposes; Timestamp,
actual time; Sequence, count number.
− Keys: Public_key, for instance, in PKCS#12 format; Certificate, public key signed
by CA; Private_key, used to sign; Shared_key, secret key shared by more than one
entity; Session_key, it is a secret key used to encrypt a transmission.
Security Requirements
Specification Language
(SRSL)
Automatic
Translation
Error correction SDT tools
SDL system Code
& Refinement Generation
Human
Interaction
Analysis
Method
In addition, SRSL may operate with data types previously defined. These
operations are: Concatenate, composition of complex data (operator ’,’), it can be
identified as a name; Cipher/Decipher, provides a cipher data and cleartext data,
respectively (for instance, RSAcipher/RSADecipher PKCS#1 format); Hash, the
result of a one-way algorithm; Sign, message hash encrypted with signer’s private key
(for instance, RSAsign PKCS#7).
The message exchange is defined in the requirements language most widely
utilized in telecommunications area, the Message Sequence Chart (MSC) and its
extension High MSC (HMSC). We can specify elementary scenarios (MSC), and
compose them into a complex protocol (HMSC).
We may describe security systems in a multilayer way. The first layer is the
communication medium, besides it is used to apply an attack strategy (intruder
behavior). The other layers depend on security mechanisms employed in system
development.
For instance, we consider a system that uses SSL security mechanism to achieve
server authentication and secret communication. Furthermore, it has to be design in
order to achieve that the user’s credit card number and the product code data are sent
to the application server ( responder ), and the server gets an evidence of this. This
means that the server wants to check non-repudiation of origin property. The module
specification is depicted in figure 2.
The SSL layer can be described in a standard security communications package.
Therefore, part of Medium layer is generated automatically. Consequently, we only
have to specify the Initiatior-Responder protocol. It is composed of simple scenarios
described in MSC. This is depicted in figure 3.
Protocol Engineering Applied to Formal Analysis of Security Systems 251
As we can see in the MSC description of user protocol ,the security analysis
section describes at least the check property. This is called "check" and it has three
possible conditions: Authentication(A,B), for analyzing the authentication between
agents A and B; secret(X), to evaluate if X can be deduced (also called
confidentiality); Nonrepudiation(A,X), checks if data X ( the evidence ) can be
produced only by A. Therefore, it is possible to define a specific attack scenario using
"session_instance" and "intruder_behavior" sections, in order to prune the exploration
space.
User
INITIATOR RESPONDER
SSL
SSL layer SSL layer
(client) (server)
MEDIUM LAYER
Intruder’s behaviour (redirect, snoop, fake, …)
An Automatic translator program is used to achieve the SDL system from SRSL.
The SDL system is composed of a package where data types are defined, and another
package where one type process for each protocol agent, and a group of type process
observer and process medium are specified.
Definition
Client: Initiator;
client server Server: Responder;
Kcl : Private_key(Client);
Cardnum, prodcod: Text;
[Cardnum,prodcod]Kcl Check
Nonrepudiation(client,
(Cardnum,prodcod))
In order to analyze security properties, we evaluate the SDL system behavior when
different kinds of attacks are applied by way of medium processes. Observer
252 J. Lopez, J.J. Ortega, and J.M. Troya
The messages, which are sent by protocol agents, are constructed by a concatenation
of elemental data types and cryptographic operations. These data types can be divided
into agent identification, number (random, time-stamping, etc…), symmetric key and
asymmetric key pair. Thus, the operations used are cipher, decipher, sign and hash.
To be more precise, we use an abstract object certificate to model certificates, i.e.
we abstract from the public key included in a certificate, a simplification which is
accepted for analysis purposes. Of course, for code generation we need to use the
ASN.1 notation, because this obtains an unambiguous data management.
The package “analcryptlib” defines data types used by the SDL specification. The
SDL data types do not support recursive definition, so we make use of enumerated
and structured data types. The elemental data types defined are: (a) agent
Identification, it is an enumerated sort with all possible agents names; (b) number, it
is a fresh and/or random value; (c) Secret key, this represents symmetric keys; (d)
public key, this is composed by a key pair (private and public key); (e) encrypted
message, which is implemented with a structured sort composed by an item message
and an item symmetric or asymmetric cipher; (f) signed message, it is defined as a
structured sort with a message and the private key of the signer.
Freshness or temporary secrets are implemented appending an item that has the
process instance values, in particular we use the SDL sort PID for this purpose.
Furthermore, we define a type set of knowledge for each data type. The intruder
utilizes these types to store message knowledge.
The generic model identifies each protocol agent with a process type SDL. All
process types are stored in a package in order to be used in other specifications. An
agent specification is absolutely independent of the rest of the system, so they are
generated in separated modules. Furthermore, this specification permits concurrent
instances so that we can evaluate this behavior in the analysis stage.
The generic state transition of an agent process is triggered when it receives a
message which is correct (i.e. accepted by the agent). Then, either the next message is
composed to be sent to the receiver agent or it stops if the final state of the protocol
for this process is reached. If the message is not correct, it will return to waiting
message state.
The process in SDL is a finite state machine, so it finishes when executing a stop
statement or it provides a deadlock if no signal arrives. Our model has to explore all
possibilities; thus, we need to develop a mechanism to ensure that all signals sent
Protocol Engineering Applied to Formal Analysis of Security Systems 253
The intruder's behavior is divided into two aspects, exploration algorithm and check
mechanism. The exploration algorithm is provided by a medium process, and
observer processes perform the check mechanisms.
We consider two types of medium process model. The first is characterized by an
exploration mechanism that searches all possibilities. It begins examining all
combinations of different initial knowledge for each agent. Afterwards, it checks
concurrent agents’ execution, we try combinations of two concurrent sessions, and so
on. Our algorithm finishes when an “out of memory” is produced or when it detects
that the significant intruder knowledge is not incremented. In the general case the
completeness problem [12,16] is undecidable, thus if the algorithms terminates
without having found a flaw we do not have a proof that there is no flaw.
The second type of medium process is developed with an intruder specialized in
finding a specific flaw. If we typify a kind of attack, we can evaluate the protocol
trying to find a specific flaw. Perhaps this is not the best solution but it is very useful
for a protocol designer to be sure that with respect to this kind of attack the protocol
is not vulnerable. The only result we get is that a specific vulnerability does not occur
in the cases we have examined.
The state transition of the process medium is triggered when it receives any
message. After receipt, the message is stored in the intruder’s knowledge database.
The intruder then decides which operation to perform next and proceeds to the next
routing state. We have defined three different operations: eavesdrop, redirect, and
impersonate. For an eavesdrop operation the intruder intercept the message and it is
not sent to any agent. Divert operation means that the intruder intercepts the message
but does not forward into the original receiver. For an impersonate operation the
intruder sends a faked message to the original receiver.
The observer process carries out the check mechanism. This is a special SDL type
of process that is evaluated in each transition of the protocol specification. It has
access to all variables and states of the complete process instances, so we can test it
automatically.
The security properties are proved using condition rules. These rules check
different situations where it is possible that there exists protocol vulnerability. These
elements are agent’s states, variable value, and sent signals.
Currently we analyze secrecy and authentication properties. When we want to
check secrecy properties, we examine if from the intruder knowledge a specific value
254 J. Lopez, J.J. Ortega, and J.M. Troya
A B
EKE Protocol
EKE layer (client) EKE layer (server)
MEDIUM LAYER
Intruder’s behaviour (redirect, snoop, fake, …)
The package "analcryptlib" includes all message definitions for analysis purposes.
Messages are defined as SDL struct sort. These belong to a generic choice sort called
"TMESSAGE". Additionally a generic struct sort called "TENCMESS" is defined
that results from applying security operations to messages. The respective operators
are "enc" to encipher, "denc" to decipher, "sign" to perform a digital signature, and
"hash" to apply a hash function, as we explained above.
Agents are defined as a process type included in the SDL package called "agents". We
specify the agent initiator process type ("agentA"), and the agent responder process
type ("agentB"). Both process types have states called "mess" plus a number of the
message. Each state has an input signal that is triggered when its related message is
received. This message is checked before being accepted, and the process stops if it
has reached the final state, or it composes the corresponding message, sends it, and
proceeds to next state.
In order to treat all messages that are received, we have defined an asterisk state
that saves all unprocessed signals, and in a lower priority level it checks if there are
any queued messages. If this is the case, it changes its state to the one related to that
signal. Fresh data types are provided adding to their definition a process identification
item (PID SDL sort). This is used to differentiate every concurrent session. All these
process types can be used in a more complex system where the EKE protocol is the
authentication procedure.
256 J. Lopez, J.J. Ortega, and J.M. Troya
The Intruder model is divided into the exploration algorithm and the check
mechanism. These depend on the analysis strategy that the analyzer must evaluate.
There are a number of attack types that have been developed, which can be
implemented in our analysis mechanism.
The process type called "CorresAttack" provides the exploration algorithm. This
consists of a state that is triggered by any input message and executes the intruder’s
operation. Then, the divert operation is applied sending a message from the first
session to the second session, and vice versa.(figure 6). This kind of attack is called
the man-in-the-middle attack.
router
m1 ( v1 ) m2( v2 ) m3 ( v3 ) m4 ( v4 ) m5 ( v5 )
In order to check the correspondence flaw we create the process type observer
called "obvcorresattack". The main state ( checking ) has two possible alternatives
which we can see in the following SDL program code:
STATE checking
if ((GetState(A2)=’final’) AND (GetState(B1)=’final’))
AND(((GetState(B2)/=’final’)AND ((Getstate(A1)/=’final’))))
then
REPORT "authentication error"
STOP
else
if((GetState(A1)=’final’)AND
GetState(B2)=’final’))AND(((GetState(B1)/=’final’)AND
(Getstate(A2)/=’final’))))
then
REPORT "authentication error"
STOP
else
NEXTSTATE checking
Protocol Engineering Applied to Formal Analysis of Security Systems 257
The first condition is true when agent A of session two (A2) and agent B of session
one (B1) reach a "final" state, and the other agents do not reach it. The second
condition checks the inverse situation. When the checked condition is true, a report
action is executed, and the observer process scan stop searching or continue exploring
for a new failure scenario. The report is provided in MSC language.
A(0,):Ag B(0,):Ag
[m2,m4] [m1,m3,m5]
RA RB
medattack(1,1):
CorresAttack
[m1,m3,m5] [m2,m4]
observer(1,1):
obvcorresattack
This processes distribution enforces all messages that are sent between A and B to
pass through the medium instance, where they are processed by the intruder’s
operations, i.e. the intruder’s operations provide redirect operations.
We then load the SDL specification into the SDL Validator tool. Firstly we configure
the Validator in order to evaluate the system correctly. Then we execute the
exhaustive exploration option. It finishes quickly and it generates an MSC report (
figure 8 ). The following code shows how two sessions start at the same time. When
the medium process intercepts the messages from one session and sends to the other
session, agent A of the first session and agent B of the second session reach a "final"
state. This means that agent A of the first session believes that in this session it is
communicating with agent B, but in fact it is connected with agent B of the second
session.
We have presented a new mechanism to specify security protocols and their possible
attacks. The security protocol is specified in SRSL language and translated into the
SDL system, and attacks are implemented as SDL processes that develop the
intruder’s behavior and check safety properties. A protocol specification is
independent of the analysis procedures, so it can be used in other environments as
well.
Several kinds of security attacks are analyzed using our method. It is essential to
study how they can be produced in a real environment. We examine the result
scenario provided in an analysis procedure, and redesign the security protocol if was
necessary.
Currently we are extending SRSL in order to represent more complex protocols
and to analyze other properties, such as anonymity. In order to check several kinds of
attacks, we are gathering a set of generic attacks. Furthermore, we are studying how
to implement these attacks in the Internet environment.
Protocol Engineering Applied to Formal Analysis of Security Systems 259
References
1 Introduction
In 1984 Shamir [11] introduced the concept of identity based cryptography and
proposed a signature scheme based on the RSA assumption. Over the years a
number of researchers tried to propose secure and efficient identity based en-
cryption algorithms, but with little success. This state of affairs changed in 2001
when two identity based encryption algorithms were proposed, one by Cocks
[6] based on the quadratic residuosity assumption and another by Boneh and
Franklin based on the Weil pairing, although using a variant based on the Tate
pairing is more efficient. A number of identity based signature algorithms based
on the Tate pairing also exist, e.g. [5], [9] and [10].
In this paper we investigate the applications of the Boneh and Franklin
scheme in more detail. In particular we examine how the key structure can
lead to interesting applications. Due to our later applications we prefer to talk
about identifier based cryptography rather than identity based cryptography.
This is because the word identity seems to imply the name of someone (such
as their email address), whilst the schemes actually associate keys with strings.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 260–275, 2002.
c Springer-Verlag Berlin Heidelberg 2002
Applications of Multiple Trust Authorities in Pairing Based Cryptosystems 261
Each string being able to represent anything, such as legal terms and conditions,
and not just a persons identity.
We shall use the additive property of keys of the pairing based systems to
define a way of expressing groupings in a clear and concise manner. We then
use this to define policies which are then enforced via the means of possession
of certain keys. This results in a kind of “key calculus”.
The “key calculus” we present is different from, but inspired by, the ideas of
Desmedt [7] and Boyd [3] [4] who presented the notion of group oriented cryp-
tography. Usually, one sees group oriented cryptography in the context of group
signatures, we shall be concerned in this paper with applications to encryption.
Much of our discussion will, however, also apply to identifier based signature
schemes as well.
The paper is organised as follows, first we recap on the the Boneh-Franklin
encryption scheme. Then we go through a number of applications which are
enabled due to the additive property of the keys in the scheme. Finally we give
the semantics of the resulting key calculus which will describe precisely what
sets of keys can be singled out in any given application.
Let G1 and G2 denote two groups of prime order q in which the discrete logarithm
problem is believed to be hard and for which there exists a computable bilinear
map
t : G1 × G1 −→ G2 .
t(aP, bQ)c = t(aP, cQ)b = t(bP, cQ)a = t(bP, aQ)c = t(cP, aQ)b = t(cP, bQ)a
= t(abP, Q)c = t(abP, cQ) = t(P, abQ)c = t(cP, abQ)
= ...
= t(abcP, Q) = t(P, abcQ) = t(P, Q)abc
H1 : {0, 1}∗ −→ G1 ,
H2 : G2 −→ {0, 1}∗ .
262 L. Chen et al.
– Encryption :
Compute U = rP where r is a random element of Fq . Then compute
V = m ⊕ H2 (t(RTA , rQID ))
We first present the case where there are n trust authorities each with their
own standard public/private key pair
RTAi = si P.
We assume that all the public keys RTAi are trusted by all parties in the system.
In addition, suppose we have a fixed identifier ID and we obtain the n private
keys corresponding to this identifier from the relevant trust authorities, i.e. we
have
SIDi = si QID
where
QID = H1 (ID).
Given an n bit string b = (b1 , . . . , bn ) we can then form the private key
n
SID,b = bi SIDi
i=1
As a second case assume we have one fixed trust authority with its standard
public/private key pair
RTA = sP.
Now assume we have n identifier’s IDi , with private keys given by
SIDi = sQIDi
where
264 L. Chen et al.
QIDi = H1 (IDi ).
Given an n bit string b = (b1 , . . . , bn ) we can then form the private key
n
SID,b = bi SIDi
i=1
RUS = sP.
This trust authority would issue all US citizens with a public/private key pair
corresponding to their name, i.e. Ron Rivest would be given the key pair
RMIT = tP.
They would issue all employees with the public/private key corresponding to
their name as
SRon Rivest,MIT = tQRon Rivest .
Suppose some third party wished to send an encrypted message to Ron Rivest.
They may know that Ron Rivest is an US national and a cryptographer who
works at MIT. They therefore create the “virtual” trust authority public key
corresponding to what context they wish to put the identity of Ron Rivest in,
i.e. they can create
Note, the corresponding secret key for the virtual trust authority is
r + s + t,
but no party knows this key (and no two colluding parties can determine this
key). The third party now encrypts the data for Ron Rivest using the virtual
trust authorities public key and the public key
QRon Rivest .
The encrypted data is then sent, along with some information to encode which
contexts the identity is being considered in.
Ron Rivest can then decrypt the information using the private key
Clearly this use of contexts to narrow down the possibilities for sending data
to the wrong Ron Rivest also comes with the added benefit that no single trust
authority can decrypt the encrypted message.
A similar technique can also be applied to any form of group membership, for
example in access control systems where the rights to do some task may depend
on whether the principal is a member of a number of different groups.
266 L. Chen et al.
One can use a similar idea to create legal hoops through which people must jump
before a certain action can be performed. We give an example, which may be
peculiar to the United Kingdom, although others can be easily created.
In the United Kingdom every car needs to display a tax disk. This is pur-
chased each year for a nominal fee, and essentially proves that at a given point
in the year the owner of the car had car insurance and a certificate of road
worthiness for the car. We describe a possible online car tax disk dispenser.
We note the three obvious trust authorities
– The ownership of the car is recorded by the Driver and Vehicle Licensing
Agency (DVLA).
– The insurance certificate is produced by an insurance company, say AXA.
– The certificate of road worthiness is produced by an accredited garage, say
Joes Garage.
Suppose the owner of the car with registration number X 675 AHO wished to
obtain a new tax disk from the government. They could then log into some web
site and claim that they owned the car, that they had insured it through AXA
and that Joes Garage had issued them with a certificate of road worthiness. The
government could then email the user an encrypted version of the tax disk, upon
payment of some fee, where the encryption is under the virtual trust authority
The owner would need to obtain from each trust authority the corresponding
private key (clearly date/year information needs to be added but we ignore that
issue here for simplicity),
The owner now adds these private keys together to form another private key,
SX 675 AHO,virtual ,
with which they can decrypt the electronic form of the tax disk and print it on
their printer.
Applications of Multiple Trust Authorities in Pairing Based Cryptosystems 267
4 A “Key Calculus”
In this section we formally define our key calculus which formed the basis of the
examples above. The following formalism is richer than the examples above. We
assume a set of “atomic” identifies I, these are identifiers which correspond to
true identifier based public keys,
QIDi = H1 (IDi ),
where IDi ∈ I.
268 L. Chen et al.
We also assume a set of “atomic” trust authorities T . These are trust au-
thorities which possess public/private key pairs,
RTAi = si P,
where TAi ∈ T , for which the value of si is explicitly known by at least one party
(i.e. the trust authority). We shall assume all parties in the system have trusted
copies of the TA’s public keys RTAi .
To each pair (ID, TA) of atomic identifier/trust authority keys, called an
atomic pair, there is a corresponding secret key denoted by
SID,TA = sTA QID ,
although it may be the case that no one in the system, bar the trust authority,
knows the value of SID,TA .
The goal is to encrypt a message m to a set of people who know a given
subset of keys. We would like to do this in as short a message as possible and
be able to describe completely exactly which set of keys are needed to decrypt
the message.
Example. To see the use of the special conjunction operation ⊗ consider the
case of two trust authorities and two identifiers. We form the admissible atomic
sets
S1 = {(ID1 , TA1 )}, S2 = {(ID2 , TA2 )},
where RTAj = sj P . Then
Hence, we need to know the four secret keys SIDi ,TAj for 1 ≤ i, j ≤ 2, or in other
words we need to know the “virtual” secret key
2
SS = SIDi ,TAj .
i,j=1
270 L. Chen et al.
We have seen in Section 3 examples where either IDi = IDi for all i, i or
TAj = IDj for all j, j . We leave it to the reader to check all our previous examples
correspond to admissible sets.
So for decryption we still add private keys together, but for encryption we need
to multiply ephemeral keys together, after they have been passed through the
pairing.
We can now return to our press release example. Using an authority for time,
which simply issues the private key according to the current time at given time
intervals, and another (different) authority to issue private keys to all journalists,
we can encrypt a press release so that the intended recipients can only read it
at some point in the future. Notice, how this is simple using identifier based
systems since the encryptor does not need to know in advance what the time
authority will do. The encryptor need only know that the authority will issue
the private key corresponding to a given identifier.
With a traditional public key system one could obtain the same effect but
only by knowing the public key corresponding to the private key at the encryp-
tion stage, but this would involve the encryptor asking the time authority for
precisely which public key should be used.
the president or CEO of the ACME company. Hence, using the trust authority
ACME one would want to encrypt to either
QA and QB .
SA,1 = s1 QA , SA,2 = s2 QA ,
SB,1 = s1 QB , SB,2 = s2 QB .
We would like to encrypt a message so that a party who has any one of these
secret keys is able to decrypt the message. We make the assumption that there
are four fixed integers
x1 , x2 , y1 , y2 ∈ F∗q
known to all parties, such that x1 = x2 and y1 = y2 . We then form the virtual
public keys given by
where
α = (y2 − y1 )/y2 , β = y1 /y2 , γ = y1 − y2 ,
δ = (x2 − x1 )/x2 , = x1 /x2 , ζ = x1 − x2 .
The precise identities one uses will depend on which of the secret keys the de-
cryptor has access to.
Decryptor knows SA,1 . We first show how to decrypt assuming the recipient
has the private key SA,1 . The decryptor needs to compute t(RV , rQV ), which
with knowledge of SA,1 they can do via:
Decryptor knows SA,2 . We first show how to decrypt assuming the recipient
has the private key SA,2 . The decryptor needs to compute t(RV , rQV ), which
with knowledge of SA,2 they can do via:
The other two cases we leave for the reader, since they are computed in a similar
way.
Finally notice if the decryptor uses the other two combinations of the identities
then they recover no information since, for example, using
we obtain
Hence, to decrypt, one would need knowledge of either rQA or rQB neither of
which is available to the decryptor.
5 Conclusion
We have seen how multiple trust authorities combined with conjunctions of keys
can be used in a variety of applications. We have explained how various conjunc-
tions of keys (or essentially access rights) can be created in an efficient manner.
The use of identifier based systems with multiple trust authorities and multi-
ple identifiers we believe opens up simplified ways of specifying access rights, a
number of possible real life examples we have given in the text.
We have shown how to build up so called ‘admissible sets’ of identifier/trust
authority pairs, via a form of specialised conjunction. These admissible sets
can then be used to form general conjunctions, and or a special form of naive
disjunction. The general form of disjunction is only possible for two such sets.
A general form of disjunction for arbitrary numbers of admissible sets we leave
as an open research problem.
References
1. D. Boneh and M. Franklin. Identity based encryption from the Weil pairing.
Advanced in Cryptology – CRYPTO 2001, Springer-Verlag LNCS 2139, 213–229,
2001.
2. D. Boneh, B. Lynn and H. Shacham. Short signatures from the Weil pairing.
Advances in Cryptology – ASIACRYPT 2001, Springer-Verlag LNCS 2248, 514–
532, 2001.
3. C. Boyd. Some applications of multiple key ciphers. Advances in Cryptology –
EUROCRYPT ’88, Springer-Verlag LNCS 330, 455–467, 1988.
4. C. Boyd. A new multiple key cipher and an improved voting scheme. Advances in
Cryptology – EUROCRYPT ’89, Springer-Verlag LNCS 434, 617–625, 1989.
5. J. C. Cha and J. H. Cheon. An Identity-Based Signature from Gap Diffie-Hellman
Groups. Preprint 2002.
6. C. Cocks. An identity based encryption scheme based on quadratic residues. Cryp-
tography and Coding, Springer-Verlag LNCS 2260, 360–363, 2001.
7. Y. Desmedt. Society and group oriented cryptography: A new concept. Advances
in Cryptology – CRYPTO ’87, Springer-Verlag LNCS 293, 120–127, 1987.
Applications of Multiple Trust Authorities in Pairing Based Cryptosystems 275
1 Introduction
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 276–287, 2002.
c Springer-Verlag Berlin Heidelberg 2002
Plausible Deniability Using Automated Linguistic Stegonagraphy 277
through deniability. In this case, secrecy may be for both the information itself
and the use of particular cryptographic techniques.
A Survey of Information Hiding [8] introduces different methods of hiding
information. These include steganography, water marking, covert channels and
other methods of hiding. The concept of Chaffing and Winnowing, [9] and [3],
introduces a method to hide messages in network traffic.
The purpose of this paper is to propose an enhanced automated system to
enable someone to deny that a cryptographic, or random, string has meaning.
The concept of Plausible Deniability in this context implies that it is difficult
for an adversary to prove the meaning of a particular message. The authors do
not provide any ability to deny the transmission or receipt of a message. The
emphasis is on the ability to deny meaning. Another benefit may be the ability
to deny the use of a specific cryptographic algorithm.
The term, Plausible deniability has distinct meanings in the legal profession
[11]. There are also political contexts of plausible deniability where a person
is deliberately kept in the dark to render their denial of an event “plausible”
or even believable. What is important to understand is that any such scheme,
automated or not, requires a certain level of deceit from some human being who
is interested in denying the claim. The deceit, in the case of the system discussed
in this paper, must come from the sender and receiver of the messages.
The results of the Deniable Nicetext transformations may contain two or
more messages. It should be difficult for an observer to prove the existence of
more than one messages. Even with the suspicion of multiple messages, the
external encryption routines should make it difficult for an adversary to prove
the meaning of a particular message. With the mutual cooperation from the
sender and receiver it should be possible to plausibly deny the meaning of the
entire message.
This paper, introduces a system to achieve deniability of cryptograms as well
as plaintext. The system introduced extends the Nicetext suite of applications
[5,6]. After briefly discussing the Nicetext system for completeness, the authors
introduce Recursive Nicetext which leads to the new Deniable Nicetext.
2 Basic Nicetext
Table 2. Different Contextual Templates Produce Different Nicetext from the same
input.
It is then possible to convert any ciphertext into nice-text which has structure
and to some extent meaning, the ultimate goal of linguistic steganography, similar
to this paper.
To demonstrate the quality of the various transformation methods, the au-
thors start with the popular children’s story, The Wizard of OZ, which is avail-
able from the Project Gutenberg web page at gutenberg.org. The truncated
examples only show the first paragraph for brevity. The following is an actual
excerpt from L. Frank Baum’s The Wizard of Oz:
Using a very large dictionary with 189,991 words put into 56,429 categories,
the system automatically generated several different contextual templates. This
paper does not describe the contextual template generation process.
The Nicetext process uses these advanced dictionaries and templates to con-
vert ciphertext into new stories which, to varying degrees, share similar charac-
teristics with the original document. Rather than showing the contextual tem-
plates, this paper emphasizes the results of transformations of the following
ciphertext, shown in hexadecimal notation:
The first example shows the results of transforming the above ciphertext
using a series of contextual templates based on the structure of the sentences in
the original story:
So the soldier was summoned and entered the Throne Room doggedly,
for wherewithal Oz was alive he never was allowed to come farther than
the door. When the Guardian of the Gate saw them again he wrapped
greatly that they should leave the beautiful City to get into new trouble.
whitespace, etc. to provide maximum flexibility and robustness against countermea-
sures designed to thwart other programs which exclusively use whitespace to store
information.
280 M. Chapman and G. Davida
The wild crows flew in one great flock toward Dorothy and her compan-
ions. You have plenty of courage, I am sure, answered Oz. No; there were
some, but the monster has eaten them all. I was afraid I could have to
stay in the river forever, he said, but the kind Stork saved me, and if I
ever beget any brains I shall find the Stork again and do her some kind-
ness in return. She wiggled at the rapid flight of the Monkeys, but was
glad the journey was over. There! All you need is confidence in yourself.
...
The reason for the variation is that contextual templates are chosen inde-
pendently from the input ciphertext. The above two examples used different
sequences of sentence-level templates. The Nicetext system can recover the in-
put ciphertext, in this case, 145727. . . , from either generated text.
The main disadvantage of sentence-level contextual templates is that, al-
though each sentence appears to properly mimic the style of the original docu-
ment, the sequence of sentences appears to be random, as it should.
An alternative is to use contextual templates based on larger sections of a
document. The next example uses templates based on the structure and format
of the entire original document:
For the purposes of this paper, it is important to emphasize that the exist-
ing Nicetext software can automatically create a variety contextual templates
from many natural-language texts. The Nicetext system uses these contextual
templates to transform ciphertext into harmless-looking text that shares some
of the characteristics of the original document used as the template source. The
Reverse-Nicetext process can always recover the input ciphertext from the gen-
erated text.
3 Recursive Nicetext
can be transformed into one of many nice-texts 2 . One way to represent this
transformation is: N Td,s (c1 ) −→ ti .
Recursive applications of Nicetext require a set of dictionaries, contextual
templates, and encryption functions: dn , sn , and En . One representation of re-
cursive Nicetext is: N Tdn ,sn (En (pn )) −→ pn+1 .
To recover the alleged ciphertext, cn which may be En (pn ), the InvN T
function uses just the dictionary, dn , as follows:
InvN Tdn (pn+1 ) −→ cn = En (pn ). The recovery of pn , of course, simply requires
the appropriate decryption function and key for InvEn . One source of deniability
is the ability for the sender and receiver to claim that cn is not ciphertext, but
gibberish! The strength of this claim depends on the strength of the external
encryption routine and the decryption key.
Nicetext does not provide any compression, encryption or decryption func-
tions beyond the actual substitution cipher used for steganography purposes 3
. In fact, the original intent of the Nicetext system was to cover up the use of
such functions and to allow a certain amount of deniability as to whether or not
a valid decryption function exists to expose a suspected plaintext. The “plausi-
ble” alternative is that someone interested in the “entertainment value” of the
generated nice-text simply used a pseudo-random number source as input.
To simplify the discussion as it pertains to this paper, the authors assume
that all encryption functions, En , are the same, meaning the same algorithm
and the same key, unless otherwise specified. Additionally, each level of recursion
uses the same dictionary and contextual template source. In practice, it may be
interesting to convert a message into a story, then a novel, then a business plan!
It also may be interesting to use a complicated sequence of encryption keys to
further thwart efforts to prove meaning. By adding such complexity the concept
of key-exchange becomes more difficult between sender and receiver. Somehow
they must secretly agree on the sequence of algorithms, keys and dictionaries.
For brevity, it is not a focus of this paper to explore and exploit such complexity.
That said, the recursive application of Nicetext should be straightforward.
Take some ciphertext, turn it into nice-text, encrypt the nice-text, repeat.
4 Deniable Nicetext
Now that Nicetext uses the function, I(c1 ) = |c1 | + c1 + rl , as the input,
it is interesting to consider that the sender may want to encode an additional
ciphertext, c2 in place of rl ! As long as the length of c2 , |c2 |, is smaller than l,
the modified function 5 becomes:
I(c1 ) = |c1 | + c1 + |c2 | + c2 + r(l−|c2 |) .
Now the sender uses the Nicetext protocol to generate some harmless text,
t1 from ciphertext c1 and c2 and some additional random bits. The Nicetext
protocol requires a dictionary, d, and a contextual template, s, to generate one
of many ti ’s from c1 . The transformation is N T(d,s) (I(c1 )) −→ ti .
Assume that anyone with the reverse protocol, InvN T , and the appro-
priate dictionary, d, can recover I(c1 ) from any one of the possible ti ’s,
InvN Td (ti ) −→ I(c1 ). The protocol specifies that I(c1 ) = |c1 | + c1 + rl ; thus,
it is trivial to recover c1 . The original claim that it is unknown if c1 is really
ciphertext still applies. Additionally, it is trivial to recover rl from I(c1 ). The
new question is whether or not rl contains additional pseudo-random bits or if
it is actually |c2 | + c2 + r?
One clue is to see if the first few bits after c1 represent a plausible length
of c2 . One solution is to use an encryption algorithm (and key), E2 to encrypt
the length of c2 . That changes the definition of I to be I(c1 ) = |c1 | + c1 +
E2 (|c2 |) + c2 + r. Because Nicetext does not intend to be anything more than
a creative simple-substitution cipher, E2 is any externally-supplied algorithm,
such as DES, RSA, IDEA, etc [10].
Multiple ciphertexts could be hidden the same way, so that I(c1 ) = |c1 | +
c1 + E2 (|c2 |) + c2 + E3 (|c3 |) + c3 + ...+ Em (|cm |) + cm + r. Additional trickery may
include creative uses of XOR’ing combinations of ci ’s or using error correcting
codes to contain the real ciphertext. For clarity, the authors sometimes limit the
discussion to only one additional ciphertext message, c2 .
The goal of the Nicetext research is not to develop strong cryptographic
algorithms. The purpose is to cover up the use of such algorithms. By extending
the protocol to allow a minimum number of pseudo-random bits to be added to
the input stream, there are more places to possibly hide information.
If a sender or receiver of a nice-text message is forced to “turn over the keys”,
it is now possible for them to say, “okay - you got me, the file c1 is actually and
encrypted message - not just plain text.” This still leaves the question as to
whether or not the remaining part of I(c1 ) = E2 (|c2 |) + c2 + r or if I(c1 ) simply
contains random bits, r.
In fact, this works so well, that it is possible that the receiver may not be
certain if there is a second message! If there is more than one message, the receive
may have a problem knowing which is the real thing. To solve this problem, the
system requires a secret hash function, H, which will generate a hash, hi of
ciphertext ci through: H(c1 ) −→ h1 .
5
The purpose of the (l−|c2 |) is to show that the minimal length of r would be reduced
by the actual size of c2 as well as the number of bits required to represent the length
of c2 , |c2 |. The rest of this discussion will simply specify r without the subscripts for
simplification.
Plausible Deniability Using Automated Linguistic Stegonagraphy 285
It is imperative that the hash function is a shared secret between the sender
and receiver of the nice-text. The Nicetext system itself does not provide a hash
function. MD5 or SHA1 or even the use of a block-cipher such as DES may work
well.
In any case, the I(c1 ) function must append a fixed-length secret hash of any
ciphertext that is meaningful and an incompatible hash of the same length for
any ciphertext which is not useful ; thus,
If c2 contains valid ciphertext, then
I(c1 ) −→ |c1 | + H (c1 ) + c1 + |c2 | + H(c2 ) + c2 + r.
If c1 contains valid ciphertext, then
I(c1 ) −→ |c1 | + H(c1 ) + c1 + |c2 | + H (c2 ) + c2 + r.
In either case, with the proper hash functions and the proper adjustments
to the minimum lengths of r to allow for the fixed-length fields required to hide
c2 , it still looks like
I(c1 ) −→ |c1 | + (somerandombits) + c1 + r.
Assume that from a plaintext, p2 , it is trivial to recover I(c1 ). If you choose
the correct secret hash function, it is now possible to determine if c2 exists as a
valid message by the following the protocol in Figure 1.
1. Transform the nice-text, p2 , into I(c1 ) through simple substitution (read each word
from p2 , output the corresponding code from the dictionary, d, to recover the bits
from I(c1 ) . . . ).
2. Read the length of c1 , |c1 |.
3. Read the hash of c1 , H(c1 ).
4. Read c1 and compute the secret hash of c1 .
5. If the hash of c1 matches the secret hash, then c1 is the real message.
6. If not, then read the next few bits of what may have been r - which really is |c2 |.
7. Read the hash of c2 , H(c2 ).
8. Read c2 and compute the secret hash of c2 .
9. If the hash of c2 matches the secret hash, then c2 is the real message.
10. etc.
6 Remarks
References
1. Ross J. Anderson and Fabien A.P. Peiticolas. On the limits of steganography.
IEEE Journal of Selected Areas in Communications, 16(4):474–481, May 1998.
2. Donald Beaver. Plausible deniability. In Jiri Pribyl, editor, Proceedings of Praguo-
crypt 96, 1996.
3. M. Bellare and A. Boldyreva. The security of chaffing and winnowing. pages
517–530. Springer-Verlag, 2000.
4. M. Burmester, Y. Desmedt, and M. Yung. Subliminal-free channels: a solution
towards covert-free channels. In Symposium on Computer Security, Threats and
Countermeasures, pages 188–197, 1991. Roma, Italy, November 22-23, 1990.
5. Mark Chapman and George Davida. Hiding the hidden: A software system
for concealing ciphertext as innocuous text. In Sihan Qing Yongfei Han, tat-
suaki Okamoto, editor, Information and Communications Security – First Inter-
national Conference, ICICS 97 Proceedings, volume 1334, pages 335–345. Springer-
Verlag, 1997.
6. Mark Chapman and George Davida. A practical and effective approach to large-
scale automated linguistic steganography. In Information Security Conference 01
Proceedings, pages 156–170. Springer-Verlag, 2001.
7. Ran Cynthia Dwork Moni Naor and Rafail Ostrovsky. Deniable encryption. In
Proceedings of CRYPTO 97, pages 90–104. Springer, 1997.
8. Fabien A. P. Petitcolas, Ross J. Anderson, and Markus G. Kuhn. Information
hiding — A survey. Proceedings of the IEEE, 87(7):1062–1078, 1999.
9. R. L. Rivest. Chaffing and winnowing: Confidentiality without encryption. Cryp-
toBytes, 4(1), 1998.
10. Bruce Schneier. Applied Cryptography Second Edition: protocols, algorithms, and
source code in C. John Wiley and Sons, New York., 1996.
11. Douglas Walton. Plausible deniability and evasion burden of proof. Argumentation,
10:47–58, 1996.
Virtual Software Tokens – A Practical Way to
Secure PKI Roaming
Taekyoung Kwon
1 Introduction
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 288–302, 2002.
c Springer-Verlag Berlin Heidelberg 2002
Virtual Software Tokens – A Practical Way to Secure PKI Roaming 289
2 Preliminaries
We will use id and π as user’s name (ID) and password, respectively. Also we
define svri as a name of a remote trusted server where 1 ≤ i ≤ n for n servers.
The values pksvri and sksvri will denote server i’s authentic public key and private
key, respectively. Note that we won’t describe in detail for public key operations
of each server, rather we will use Epksvri () and Dsksvri () for convenience. However,
we will describe user’s RSA public key pair in detail. So, < e, N > and < d, N >
will denote user’s RSA key pair where N is a good RSA product of two distinct
290 T. Kwon
odd primes, satisfying 2λ−1 ≤ N < 2λ , and e and d are, respectively, encryption
∗
and decryption exponents, satisfying e, d ∈ Zφ(N ) and ed ≡ 1(mod φ(N ))[16].
The Euler totient function is denoted by φ(N ). Let h0 () and hij () mean strong
one-way hash functions. Also let κ be the main cryptographic security parameter
such that κ = 160 while λ a secondary security parameter for public keys such
that λ = 1024. Also we define a tiny parameter σ such that σ = 16. Finally
C[e, N ] will denote user’s X.509 certificate. Additional notation that was not
described here, will be declared in each part of this paper.
RSA is the most famous and widely used public-key cryptosystem, named af-
ter its inventors Rivest, Shamir, and Adleman[16]. Its security is based on the
intractability of the integer factorization problem, meaning that N must be resis-
tant to factoring where N is a product of two distinct odd primes, by satisfying
2λ−1 ≤ N < 2λ . In general e and d denote an encryption exponent and a decryp-
∗
tion exponent, respectively, satisfying e, d ∈ Zφ(N ) and ed ≡ 1(mod φ(N ))[16].
So, RSA can be used to encrypt a message under the encryption exponent e, as
well as to generate a digital signature under the decryption exponent d. Note
that different key pairs must be used for respective purposes.
Due to the algebraic properties of RSA, we can develop a collaborative
signature schemes easily[3,2]. They are called multi-party RSA schemes. As
a pioneering study, Boyd suggested splitting the decryption exponent multi-
plicatively, for example, d ≡ d1 d2 (mod φ(N ))[3,2]. In this case, two parties
sharing each exponent can collaborate to sign a message m such that md ≡
n
md1 d2 (mod φ(N )). A general case is defined that d ≡ i=1 di (mod φ(N )).
There is another study splitting the decryption exponent additively, for example,
d ≡ d1 + d2 (mod φ(N ))[12,2]. In this case, two parties sharing each exponent
d d1 d2
can collaborate to sign a message nm such that m ≡ m m (mod φ(N )). A
general case is defined that d ≡ i=1 di (mod φ(N )).
A typical proposal of using multi-party RSA was the server-aided RSA sig-
natures for improving efficiency of low-performance devices[1,13]. Also it was of
great interest to improve security of using tamper-resistant device[4]. The no-
tions of proactive security as well as threshold cryptography gave a birth to the
proactive RSA schemes[7]. Another interesting proposal was the two-party case
of using a password[8,12]. For example, Ganesan and MacKenzie respectively
set one of split exponents, d1 , as user’s password component while the other
exponent as server’s component. We extend these ideas to multi-party cases for
secure PKI roaming.
A simple model can be devised for describing the exact form of PKI roaming.
The most fundamental assumption is that a PKI may be provided in this model.
A client system could acquire authentic public keys in that sense. We postulate
Virtual Software Tokens – A Practical Way to Secure PKI Roaming 291
. .
. .
. .
Client Server
This basic model can be depicted in three ways such as a single server system
(n = 1), a centered server system (n > 1, but key recovery servers may be
controlled by a single server.), and a multiple server system (n > 1). See Figure
1. The user may want to recover a private key, generate a digital signature, or
decrypt an encrypted message via PKI roaming in each system. So, an adversarial
goal may include the followings when we consider security of PKI roaming.
<Adversarial goals>
– Recovery of the private key
– Signature forgery
– Message decryption
For achieving the adversarial goals, the adversary must compromise a multitude
of remote servers. So, we can define the followings in terms of security.
292 T. Kwon
pw1 v1
pw2 v2
pw v
. .
. .
. .
pwn vn
Therefore, a single server compromise is a FSC in the single server system and
the centered server system1 , while it is a PSC in the multiple server system.
In that sense, the proposed scheme must prevent the following attacks before
the FSC (even after the PSC) for secure PKI roaming: (i) replay attacks, (ii)
masquerade attacks, and (iii) off-line analysis.
Our basic idea is to split a password as well as a private key, and distribute them
over a multitude of servers in a way of shadowing a real ID. See Figure 2. In
conventional password authentication (a), a client may provide password infor-
mation to a server which holds a corresponding verifier. If the given information
is valid, the server may download a private key to the client or collaborate to
generate a signature for PKI roaming users. In split password authentication (b),
a client may provide each split password information to a multitude of servers
which hold respectively corresponding verifiers. If the given information is valid,
each server may download a split private key to the client or collaborate to gen-
erate a signature for PKI roaming users. If the given information is invalid for
reasonable amount of time, the corresponding server may respond with random
1
We consider a compromise of a main server in the centered server system. The main
server may authenticate a user and control a multitude of key recovery servers.
Virtual Software Tokens – A Practical Way to Secure PKI Roaming 293
data rather than refusing services. This idea can resist on-line guessing attacks
successfully in our case. As for a server compromise, an adversary cannot succeed
in achieving the adversarial goals with a PSC2 , because the split verifiers as well
as the split private keys must be aggregated. Our split password authentication
model may be appropriate for multiple server-based PKI roaming in that sense.
User ID. User’s unique name, id, is necessary for a server to identify users in
a protocol run. However, each server may not disclose the actual name easily in
the case of a PSC. We derive ψi from id in that sense, as follows:
ψi ← hi1 (svri , id)
Here ← denotes deriviation. Since svri can be read from the server’s authentic
public key or set as a network address, a user can derive ψi easily in a client
system. Then, each server, svri , may identify the user with ψi in a protocol run.
Protocol Setup. The user must register to n numbers of trusted servers before
PKI roaming. For the purpose, the user may provide the values, < ψi , νi , di >,
to each server svri . Then svri will store (ψi : νi : di ), i.e., (ID: verifier: data)
on secure database. Also C[e, N ] can be retained by a certain server. The client
software is presumed trustworthy in obtaining each trusted server’s authentic
public key as well as every algorithm utilized in the proposed scheme[6,10]. The
roaming user remembers his (her) id and π pair only.
Protocol Run. The roaming user launches the client program and enters id and
π in order to generate a RSA signature for an arbitrary message M . Then the
client computes ψi and νi , and generates random integers, ρi , of length λ, where
1 ≤ i ≤ n. The client runs the following steps with each server. A =⇒ B : M
implies that A sends M to B.
1. The client encrypts (ψi , νi , M, ρi ) under pksvri and sends it to a server svri .
client servers
If the verifiers do not match for reasonable amount of time, svri may keep
responding with random data rather than refusing it5 . Then the client de-
crypts the message with ρi and obtains the partial signature, M di mod N .
After cooperating with all n servers, the client could have aggregated all partial
signatures, so that it can compute the followings. Set each partial signature
Mi = M di mod N .
M ← M1 M2 · · · Mn mod N
S ← Md0 mod N
The
n finally obtained
n value S corresponds to the user’s RSA signature since
( i=1 M di )d0 ≡ i=1 M di d0 ≡ M d (mod N ). The client should verify M =
S e mod N before reaching completion. We assume C[e, N ] was provided in the
protocol run. This is required to detect the existence of a denial-of-service. A
complete run of the basic protocol is depicted in Figure 3.
4 Extended Protocols
A few extended protocols can be derived simply from the basic protocol for
various usages of the virtual software tokens.
µ ← we M mod N
2. The client encrypts (ψi , νi , µ, ρi ) under pksvri and sends the result to the
server svri . The client computes w−1 mod N .
Then svri decrypts it and loads (ψi : νi : di ) for evaluating νi . At this time,
svri cannot understand µ since it is blinded.
3. If the verifiers match, svri generates a partial signature such as µdi mod N
and encrypts it under ρi for the following transmission. If the verifiers do
not match for reasonable amount of times, svri may respond with random
data rather than refusing it.
Then the client decrypts the message with ρi and obtains a partial blind
signature µdi .
After cooperating with all n servers, the client could have aggregated all par-
tial blind signatures, so that it computes the followings. Set each partial blind
signature Mi = µdi mod N .
M ← M1 M2 · · · Mn mod N
B ← Md0 mod N
S ← w−1 B mod N
The
n finally obtained value
n S corresponds to the user’s RSA signature since
( i=1 (we M )di )d0 ≡ i=1 (w e
M ) di d0
≡ wM d (mod N ) and w−1 wM d ≡
M (mod N ). The client should verify M = S e mod N before reaching com-
d
pletion.
We can use the basic protocol directly for message decryption. However, in this
case, a FSC may allow an adversary to decrypt a message after succeeding in
dictionary attacks. So, we have to apply the blind signature generation protocol
to message decryption for guaranteeing forward secrecy even for the case of a
FSC. The protocol is summarized as follows. Note that different key pairs must
be used respectively for signature generation and message decryption.
µ ← we M e mod N
2. The client encrypts (ψi , νi , µ, ρi ) under pksvri and sends the result to the
server svri . The client computes w−1 mod N .
298 T. Kwon
Split Private Keys Again. For the purpose, we define the hash function h0 ()
more concretely again so as to output in length λ rather than κ.
h0 () → {0, 1}λ
We split user’s private exponent, d, in a different way:
d ← d0 ⊕ (d1 ||d2 || · · · ||dn )
In this simple derivation, d0 is a user component such that d0 ← h0 (id, π), while
the others are respective servers’ components. We could obtain each di having
enough length (> κ) from the existing RSA private key (d, N ) easily such that
d ⊕ d0 = d1 ||d2 || · · · ||dn . For the purpose, we defined the hash function h0 ()
specifically above. If n is unreasonably large such that the length of di is less
than κ, we can replace the concatenation || with ⊕ for guaranteeing reasonable
length of di . Finally servers share each di where 1 ≤ i ≤ n. So, the split private
keys above may be used for download only.
Virtual Software Tokens – A Practical Way to Secure PKI Roaming 299
Protocol Run. A protocol run may be similar to the above protocols. Note
that the length of ρi can be adjusted to the maximum length of di . A client runs
the following steps with each server in order to download user’s private key.
1. The client encrypts (ψi , νi , ρi ) under pksvri and sends the result to the server
svri .
client =⇒ svri : {ψi , νi , ρi }pksvri
Then svri decrypts it and loads (ψi : νi : di ) for evaluating νi .
2. If the verifiers match, svri encrypts di under ρi for the following transmission.
If the verifiers do not match for reasonable amount of times, svri may respond
with random data rather than refusing it.
svri =⇒ client: di ⊕ ρi
Then the client decrypts the message with ρi and obtains the split private
key.
After cooperating with all n servers, the client could have aggregated all split
private keys, so that it computes the followings.
d ← d0 ⊕ (d1 ||d2 || · · · ||dn )
Finally, the client obtained the user’s private key.
5 Analysis
We proposed the virtual software token that is a software token existing virtu-
ally over a multitude of servers. The virtual software token can be invoked by
software methods, in order to achieve the respective goals for PKI roaming such
as signature generation, message decryption, and key recovery. So, we designed
various concrete protocols such as a basic protocol, a blind signature protocol, a
message decryption protocol, and a private key download protocol in that sense.
We analyze the proposed scheme in this section.
5.1 Security
In this paper we postulated the followings for security assertion.
– An adversary cannot capture user’s inputs such as id and π.
– A PKI is provided, so that a client can access a X.509 directory in order to
acquiring certificates.
Already we examined security related to the spilt private exponent di and the
random key ρi in Section 3.4. A basic notion of security in split password au-
thentication is that any adversarial on-line attempts can be frustrated by server’s
resistant response, i.e., random data. An adversary cannot distinguish which one
is random data as well as which server sent random data in Figure 4-(b), so that
300 T. Kwon
pw1 v1 v1
Random
pw2’ v2 v2
data
Indistinguishable
. . .
. . .
. . .
pwn vn vn
(s)he cannot analyze the guess correctly. This is because each server verifies par-
tial information of a password and generates partial data with a split private key.
It is computationally infeasible to verify whether the partial data is random.
With a PSC, the information is given such as ψi , νi , di , C[e, N ] and sksvri for
the corresponding partial servers only. sksvri can decrypt ρi . Each ρi must be
chosen carefully in that sense. The followings can be examined for the case of a
PSC.
(i) Replaying all or partial messages may not produce more than the uncovered
information in a PSC. That is, the correct signature for a new message M
is unobtainable.
(ii) Masquerading the client may need ψi and νi for all servers. With a PSC
and dictionary attacks, only given is the compromised portion of π. The
uncompromised portion is also necessary but cannot be obtained without
succeeding in on-line attacks that are well defeated in our protocol. Mas-
querading the compromised server does not disclose more information.
(iii) Off-line analysis on eavesdropped messages and the PSC information, does
not disclose any unknown portion to whom not having sksvri of the remain-
ing servers.
With a FSC, the information is given such as ψi , νi , di , C[e, N ] and sksvri for all
servers. However, a dictionary attack is still necessary for achieving the adver-
sarial goals. As for the dictionary attack, an adversary must verify id as well as
π because we hid id as well. This may add more computations to the dictionary
attack. In order to add more computations to the dictionary attack, we can set
π = π1 + π2 + · · · + πm where n < m. Then (m − n) information may require
signature operations for attempting the dictionary attack.
Even with a FSC and dictionary attacks, the private key d cannot be obtained
in the proposed protocols except for the private key download protocol. This is
an interesting property though a set of partial private keys, {d0 , d1 , · · ·, dn }, are
finally given and can be used for generating a signature or decrypting a message
Virtual Software Tokens – A Practical Way to Secure PKI Roaming 301
in the protocols such as the basic protocol, the signature generation protocol,
and the message decryption protocol.
5.2 Efficiency
Note that parameters was set such that σ = 16, κ = 160 and λ = 1024. If the
RSA exponent is chosen at random, RSA encryption using the repeated square-
and-multiply algorithm will take λ modular squarings and expected λ2 modular
multiplications[14]. From this point of view, we can evaluate the computational
performance of virtual software token methods though balancing security against
efficiency must be difficult. Assume e = pksvr = 216 + 1 and the repeated square-
and-multiply algorithm is used. Then the client needs 2n(σ + 1) modular multi-
plications in step 1 and (n−1)+3κ in step 2, due to the length of d0 . Each server
requires 3λ in step 1 and 3κ in step 2, due to the length of di where 1 ≤ i ≤ n.
Finally the client needs (σ + 1) modular multiplications for verifying S. Both
client and server can have high computing power in our PKI roaming model, so
that the efficiency is less important than it was in the previous server-assisted
model. Finally we recommend n = 2, 3 or 4 for practical use.
6 Conclusion
This paper proposed the virtual software token methods for running a RSA
algorithm with multiple servers. The virtual software token means a software
token that exists virtually over a multitude of servers. It can be invoked by
software methods for achieving the goals such as signature generation, message
decryption, and key recovery. Our basic idea was to hide a real ID and split a
password as well as a private exponent over multiple servers in a way that a
human user keeps an ID and password pair only. Due to the users’ demands
for using their digital identifiers in places, a need for PKI roaming is rapidly
growing. So, we designed various concrete protocols such as a basic protocol,
a blind signature protocol, a message decryption protocol, and a private key
download protocol for practical use. Our methods are simple and practical so
as to be applied easily to real world application for PKI roaming. In the future
study, space diffusion must be extended to the case t < n for improving tolerance
against a denial of service attack, and time diffusion must also be considered.
References
1. P. Beguin and J. Quisquater, “Fast server-aided RSA signatures secure against
active attacks,” Advances in Cryptology - Crypto 95, Lecture Notes in Computer
Science, Vol. 963, Springer-Verlag, pp. 70–83, 1995.
2. M. Bellare and R. Sandhu, “The security of practical two-party RSA signature
schemes,” Manuscript, 2001.
3. C. Boyd, “Digital multisignatures,” Cryptography and Coding. Oxford University
Press, 241–246, 1989.
302 T. Kwon
4. S. Brands, Rethinking public key infrastructures and digital certificates, The MIT
Press, p.11 and pp. 219-224, 2000.
5. D. Chaum, “Blind signatures for untraceable payments, ” Advances in Cryptology
– Crypto 82, Lecture Notes in Computer Science, Vol. 1440, Springer-Verlag, pp.
199–203, 1983.
6. W. Ford and B. Kaliski, “Server-assisted generation of a strong secret from a
password,” Proc. IEEE International Workshop on Enterprise Security, 2000.
7. Y. Frankel, P. Gemmall, P. MacKenzie, and M. Yung, “Proactive RSA, ” Advances
in Cryptology – Crypto 97, Lecture Notes in Computer Science, Vol. 1294, Springer-
Verlag, pp. 440–454, 1997.
8. R. Ganesan, “Yaksha: Augmenting Kerberos with public key cryptography,” Proc.
ISOC Network and Distributed System Security Symp., February 1995.
9. D. Hoover and B. Kausik, “Software smart cards via cryptographic camouflage,”
Proc. IEEE Symp. on Security and Privacy, 1999.
10. D. Jablon, “Password authentication using multiple servers,” Topics in Cryptology
– RSA 2001, Lecture Notes in Computer Science, Vol. 2020, Springer-Verlag, pp.
344–360, 2001
11. T. Kwon, “Robust Software Tokens – Toward securing user’s digital identity, ”
Manuscript, 2001.
12. P. MacKenzie and M. Reiter, “Networked cryptographic devices resilient to cap-
ture,” Proc. IEEE Symp. on Security and Privacy, 2001.
13. T. Matsumoto, K. Kato, H. Imai, “Speeding up secret computations with insecure
auxiliary devices,” Advances in Cryptology - Crypto 88, Lecture Notes in Computer
Science, Vol. 403, Springer-Verlag, pp. 497–506, 1989
14. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography,
CRC Press, pp.287-291, pp. 312–315, 1997.
15. R. Perlman and C. Kaufman, “Secure password-based protocol for downloading a
private key,” Proc. ISOC Network and Distributed System Security Symposium,
1999.
16. R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures
and public-key cryptosystems,” Communications of the ACM, vol. 21, pp. 120–126,
1978.
17. RSA Labs, “RSA Keon Web PassPort, Technical Overview,”
http://www.rsasecurity.com/
18. G. Simmons, “A “weak” privacy protocol using the RSA crypto algorithm,” Cryp-
tologia, vol.7, pp. 180–182, 1983.
19. J. Tardo and K. Alagappan, “SPX: Global authentication using public key certifi-
cates,” Proc. IEEE Symp. on Security and Privacy, 1991.
20. M. Wiener, “Cryptanalysis of short RSA secret exponents,” IEEE Transactions on
Information Theory, vol.36, no.3, May 1990.
Bit-Serial AOP Arithmetic Architectures over GF(2m)1
m
Abstract. This paper presents bit-serial arithmetic architectures for GF(2 )
based on an irreducible all one polynomial. First, modular multiplier and squarer
are designed. Then, two arithmetic architectures are proposed based on the
modular multiplier and squarer. Proposed architectures hybrid the advantages of
hardware and time complexity from previous architectures. They can be used as
kernel architecture for modular exponentiations, which is very important opera-
tion in the most of public key cryptosystem. Since the multipliers have low
hardware requirements and regular structures, they are suitable for VLSI im-
plementation.
1 Introduction
m
Finite field GF(2 ) arithmetic is fundamental to the implementation of a number of
modern cryptographic systems and schemes of certain cryptographic systems[1][2].
Most arithmetic operations, such as exponentiation, inversion, and division operations,
can be carried out using just a modular multiplier or using modular multiplier and
squarer. Therefore, to reduce the complexity of these arithmetic architectures, an effi-
m
cient architecture for multiplication over GF(2 ) is necessary.
An AOP is used for irreducible polynomials to reduce the complexity of modular
multiplication. Several architectures have already been developed to construct low
complexity bit-serial and bit-parallel multiplications using AOP [5][6][7][11]. How-
ever, all such previously designed systems still have certain shortcomings of hardware
complexity or software complexity.
Accordingly, the purpose of this paper is to propose bit-serial arithmetic architec-
m
tures with an irreducible AOP over GF(2 ) using a standard basis representation. The
proposed architectures hybrid the advantages from previous architectures. They reduce
hardware and time complexity, significantly, compared to the previous architectures.
The proposed architectures can be used as a kernel circuit for exponentiation, inver-
1 This work was partially supported by the research fund with grant No. 2000-2-51200-001-2
from Korea Science & Engineering Science and by the research fund of Kyungil University.
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 303–313, 2002.
© Springer-Verlag Berlin Heidelberg 2002
304 H.-S. Kim and K.-Y. Yoo
sion, and division architectures. These architectures are very important part for the
public key cryptosystems. If we use the proposed architectures to implement crypto-
system, we can get a great cryptosystem with low hardware complexity. It is easy to
implement VLSI hardware and use in IC cards as the proposed structures have a par-
ticularly simple architecture.
2 Background
m m
A finite field GF(2 ) contains 2 elements that are generated by an irreducible poly-
nomial of degree m over GF(2). A polynomial f(x) of degree m is said to be irreducible
n m
if the smallest positive integer n for which f(x) divides x + 1 is n = 2 –1 [3]. It has
been shown that an all one polynomial (AOP) is irreducible if and only if m+1 is a
prime and 2 is a generator of the field GF(m+1) [7]. The values of m for which an
AOP of degree m is irreducible are 2, 4, 10, 12, 18, 28, 36, 52, 58, 60, 66, 82, and 100
for m≤100. Let f(x) = x + x +…+ x + 1 be an irreducible AOP over GF(2) and α be
m m-1
the root of f(x). Then any field element a∈GF(2 ) can be represented by a standard
m
basis such as a = am-1α + am-2α + … + a1α + a0, where ai∈GF(2) for 0 ≤ i ≤ m-1. {
m-1 m-2 1
α ,…, α } is an extended polynomial basis, the field element A can also be repre-
3 m
sented as
A = Amα + Am-1α + Am-2α
m m-1 m-2
+… + A0 (1)
where Am = 0 and Ai∈GF(2) for 0 ≤ i ≤ m. Here, a = A (mod f(x)), where f(x) is an
AOP of degree m, then the coefficients of a are given by ai = Ai + Am (mod 2), 0 ≤ i ≤
m-1.
Multiplication can efficiently simplify field multiplication based on using the AOP
property of α = 1 as follows:
m+1
Definition 1 [7] Let A = Amα + Am-1α +…+ A1α + A0 be an element in GF(2 ) that is
m m-1 m
Denote the elements obtained by shifting A cyclically one position to the left and
one position to the right, respectively. Analogously, A and A , where 0 ≤ i ≤ m,
(i) (-i)
denote the elements obtained by shifting A cyclically i positions to the left and i posi-
tions to the right, respectively.
m
Bit-Serial AOP Arithmetic Architectures over GF(2 ) 305
Aα = A
(1)
Aα = A
-1 (-1)
A α=A
(i-1) (i)
and
A
(-i+1)
α-1 = A(-i)
From the above equations, the inner product can be defined as following definition.
Definition 2 [7] Let A = Amα + Am-1α +…+ A1α + A0 and B = Bmα + Bm-1α +…+
m m-1 m m-1
B1α + B0 be two elements of GF(2 ), where α is a root of the irreducible AOP of de-
m
[ ][
A • B = ∑mj=0 A jα j • ∑mj=0 B jα j = ∑mj=0 A j B jα 2 j ]
(i) (-i)
By Definition 2, the inner product of A and B is given
[ ][ ]
A(i ) • B ( − i ) = ∑mj=0 A< j −i >α j • ∑mj=0 B< j +i >α j = ∑mj=0 A< j −i > B< j +i >α 2 j
where <x> denotes the least nonnegative residues of x modulo m+1. That is
A•B=A B +A B +A B +…+A B
(0) (0) (1) (-1) (2) (-2) (m) (-m)
306 H.-S. Kim and K.-Y. Yoo
α8 α6 α4 α2 α0
A •B
(0) (0)
A 4B 4 A 3B 3 A 2B 2 A 1B 1 A 0B 0
A •B
(1) (-1)
A 3B 0 A 2B 4 A 1B 3 A 0B 2 A 4B 1
A •B
(2) (-2)
A 2B 1 A 1B 0 A 0B 4 A 4B 3 A 3B 2
A •B
(3) (-3)
A 1B 2 A 0B 1 A 4B 0 A 3B 4 A 2B 3
A •B
(4) (-4)
A 0B 3 A 4B 2 A 3B 1 A 2B 0 A 1B 4
(P’4) (P’3) (P’2) (P’1) (P’0)
P3 P1 P4 P2 P0
4
Fig. 1. Inner product over GF(2 ).
Notably, the result in Fig. 1 is the same as that obtained from ordinary modular multi-
plication.
The symbols ai, bi, and pi are the i-th vectors of A, B, and P, respectively.
Left_Shift( y, Bi ) and Right_Shift( z, Ai ) denote shifting register y once to the left with
input data Bi and shifting register z once to the right with input data Ai, respectively.
And shifting register z cyclically once to the right and left are denoted by Circu-
lar_Right_Shift(z) and Circular_Left_Shift (z), respectively.
The input values A and B are stored in the zi and yi register, respectively, at the first
loop in step 1. Then, the algorithm performs multiplication operation from step 5 to
step 10. The loop with index k in step 6 is processed in parallel. Total m+1 time steps
are needed for the data initialization and computation, respectively, but there exists a
common time step between the last initial time step, i=0, and the first computation
time step, j=m. The total results are outputted after 2m+1 time steps over GF(2m). A
control signal is needed to distinguish the status of input from process. The sequence
of the control signal is composed of m+1 ones and m zeroes because there is a com-
mon time step between the last initial time step and the first computation time step.
Fig. 2 shows the proposed IM over GF(24). The multiplier can be easily expanded for
the arbitrary size of m.
4
Fig. 2. Modular Multiplier over GF(2 ).
2
Over the extended polynomial basis, the square operation B can be carried out just
by reordering process of the basis coefficients as follows:
B = (Bmα + Bm-1α + … + B1α + B0)
2 m m-1 2
(2)
= Bmα + Bm-1α + … + B 2α + B 1α + B 0
2m 2(m-1) 4 2
Example 1: The square operation of an element B = B4α + B3α + B2α + B1α + B0 over
4 3 2
α5 = 1, α6 = α, α7 = α2, α8 = α3
B2 = B2α4 + B4α3 + B1α2 + B3α + B0.
The algorithm is composed of three parts, which are data initialization part, reor-
dering part, and output part. Total m+1 time steps are needed for the data initialization.
At the last input time step, i.e. i = 0, the reordering is processed at step 3 and the first
result is outputted at step 5. The total results are outputted after 2m+1 time steps over
m
GF(2 ). A control signal is needed to distinguish the status of input from process. The
sequence of the control signal is same with the modular multipliers. Actually, the
squaring is processed within a time step but SM requires 2m+1 time steps to synchro-
nize with the modular multiplier for later use. Fig. 3 shows the squaring circuit over
4
GF(2 ).
Next section gives two architectures based on this modular multiplier and squarer.
4
Fig. 3. Modular squarer over GF(2 ).
m-1 m-2 1
integer can be expressed by E = em-12 + em-22 + … + e12 + e0. The exponent also can
be represented with vector representation [ em-1 em-2 … e1 e0 ]. A popular algorithm for
computing exponentiation is the binary method by Knuth [4].
There are two ways exponentiation can be done. Starting from the least significant bit
(LSB) of the exponent, the exponentiation of M can be expressed as
1 2 m −1
M E = M e0 ( M 2 ) e1 ( M 2 ) e2 ...( M 2 ) em −1 (3)
m
Bit-Serial AOP Arithmetic Architectures over GF(2 ) 309
This shows that the exponentiation can be performed with squaring and multiplica-
tion operations. To implement the exponentiation in algorithm 3, either outputs are
used as inputs for the same multiplier or separate units for multiplication and squaring
are joined. However, these methods have certain shortcomings when computing an
exponentiation operation. In this section, new bit-serial architecture for a combined
squarer and multiplier are presented for the LSB-first exponentiation.
A circuit, denoted by ISM, can be implemented for the results of a multiplication
and a squaring, simultaneously, based on IM and SM. An algorithm for ISM can be
derived as follows:
Algorithm is composed of two parts, which are data initialization part and compu-
tation part. The initialization part is the same with the IM. At the last time step for
data input, algorithm performs a squaring operation and it outputs the first bits of
result for squaring at step 9 and multiplication operation from step 6 to step 8. The
ISM produces a bit of squaring result and multiplication result, respectively, in every
computation time step. Steps 7 and 8 show the main operation for ISM, which is
somewhat different with the FSM. Additionally, it needs shifting register z and y cy-
clically once to the right and once to the left, respectively, for the next operation.
310 H.-S. Kim and K.-Y. Yoo
4
Fig. 4. ISM architecture for GF(2 ).
Fig. 4 shows ISM architecture by combining IM and SM. The upper part is actually
the same with the SM but it looks different because of the register reordering. ISM
also required the latency of 2m+1 time steps.
Starting from the most significant bit (MSB) of the exponent, the exponentiation of M
can be expressed as
α8 α6 α4 α2 α0
A •C
(0) (0)
A 4B 2 A 3B 4 A 2B 1 A 1B 3 A 0B 0
A •C
(1) (-1)
A 3B 0 A 2B 2 A 1B 4 A 0B 1 A 4B 3
A •C
(2) (-2)
A 2B 3 A 1B 0 A 0B 2 A 4B 4 A 3B 1
A •C
(3) (-3)
A 1B 1 A 0B 3 A 4B 0 A 3B 2 A 2B 4
A •C
(4) (-4)
A 0B 4 A 4B 1 A 3B 3 A 2B 0 A 1B 2
(P’4) (P’3) (P’2) (P’1) (P’0)
P3 P1 P4 P2 P0
2
Fig. 5. AB multiplication based on inner product.
4
Fig. 6. IOM architecture over GF(2 ).
312 H.-S. Kim and K.-Y. Yoo
Based on register y, the upper and lower parts represent SM and IM, respectively.
The lower part produces a bit of multiplication result in every time step. For a squar-
ing operation, the reordering is processed in the upper part. Finally, the total results are
2
outputted after 2m+1 time steps. Fig. 6 shows a new AB multiplier, denoted by IOM,
4
over GF(2 ).
three architectures, Wang’s, Fenn’s, and IM, are for the modular multiplication. IM
has significant small number of multiplexer than Fenn’s.
ISM which results a modular multiplication and a squaring, simultaneously, can re-
duce hardware complexity about 1/3 than previous architecture. Also, IOM results
significant hardware reduction compared with Kim’s in [10].
As a result, the proposed LFSR arithmetic architectures have very good hardware
complexity than the previous architectures. Therefore, if these proposed architectures
are used for some cryptographic applications, we can get great a system with great
hardware complexity.
5 Conclusion
m
This paper presented bit-serial AOP arithmetic architectures over GF(2 ). Compari-
sons showed that the proposed architectures have certain advantages related to circuit
complexity over previous architectures. Accordingly, the proposed architectures can
be used as a kernel circuit for exponentiation, inversion, and division architectures.
They are easy to implement VLSI hardware and use in IC cards as the proposed
structures have a particularly simple architecture.
References
1. T. ElGamal. “A public key cryptosystem and a signature scheme based on discrete loga-
rithms,” IEEE Trans. on Info. Theory, vol. 31(4). pp. 469–472, July.
2. W. Diffie and M.E.Hellman, “New directions in cryptography,” IEEE Trans. on Info.
Theory, vol. 22, pp. 644–654, Nov. 1976.
3. R.J. McEliece, Finite Fields for Computer Scientists and Engineers, New York: Kluwer-
Academic, 1987.
4. D.E. Knuth, The Art of Computer Programming, Vol. 2, Seminumerical Algorithms, Read-
ing, MA:Addison-Welsey, 1969.
m
5. S.T.J. Fenn, M.G. Parker, M. Benaissa, and D. Tayler, “Bit-serial multiplication in GF(2 )
using irreducible all-one opolynomial,” IEE Proc. Comput. Digit. Tech., Vol. 144, No.6 pp.
391–393, 1997.
m
6. T. Itoh and S.Tsujii, “Structure of parallel multipliers for a class of fields GF(2 ),” Info.
Comp., Vol. 83, pp. 21–40, 1989.
m
7. C.Y. Lee, E.H.Lu, and J.Y.Lee, “Bit-Parallel Systolic Multipliers for GF(2 ) Fields De-
fined by All-One and Equally Spaced Polynomials,” IEEE Trans. on Comp., Vol. 50, pp.
385–393, 2001.
8. C.L. Wang and J.L.Lin, “Systolic Array Implementation of Multiplier for Finite Fields
m
GF(2 ),” IEEE Trans. on Circuits and Systems, Vol. 38, pp. 796–800, July 1991.
9. H.S. Kim and K.Y.Yoo, “Area Efficient Exponentiation using Modular Multiplier/Squarer
m
in GF(2 ),” Lecture Notes in Computer Science 2180, pp. 262–267, 2001.
2
10. N.Y. Kim, H.S.Kim, and K.Y.Yoo, “Efficient Systolic Architectures for AB multiplication
m
in GF(2 ),” Submitted for publication, Oct. 2001.
11. H.S.Kim, Bit-Serial AOP Arithmetic Architecture for Modular Exponentiation, Ph.D The-
sis, Kyungpook National University, 2002.
A Practical Distributed Authorization System
for GARA
1 Introduction
Reliable high speed end-to-end network services are increasingly important for
scientific collaborators, whether separated by large distances or located just
across town or campus. Our experience shows that long haul networks demon-
strate good performance (thanks to over provisioning), but the last mile – from
the edge of the campus network to the desktop – is often a network bottleneck.
Quality of Service functionality is a common feature of network hardware.
Recent studies show the viability and utility of these features to control network
resources. Currently, QoS configuration of network hardware is done by hand.
While several standardization efforts are attempting to produce protocols that
enable automated network configuration across administrative domains [12,19],
it is not yet clear which protocol(s) will be embraced.
Our work addresses the need for an automated network reservation system
to provide reliable last mile networking for video, audio, and large data transfers
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 314–324, 2002.
c Springer-Verlag Berlin Heidelberg 2002
A Practical Distributed Authorization System for GARA 315
for the partner institutions. Reliable end-to-end network service between part-
ner institutions is achieved by reserving network resources within the end-point
institution networks, coupled with the demonstrated adequate performance of
the over provisioned interconnecting long haul networks, wherein no network
resource reservation is needed.
In automating network configuration, security of all communications is vital.
Network hardware is a prime target for malicious hackers, because controlling the
routing and resource allocation of a network enables myriad other attacks. What
makes this security problem difficult is the cross-domain nature of end-to-end
network resource allocation. Requesting end-to-end network resource allocation
between the local domain and a remote domain, a user needs to be authenticated
and authorized in both domains before the request can be granted.
Our work is based on the Globus General-purpose Architecture for Reser-
vation and Allocation (GARA) [6,8,7,10]. This is a natural choice because the
project partner institutions all run Globus software in either production or pre-
production mode. The goal of the GARA architecture is to create a flexible
solution that satisfies requirements of different types of resources (networks,
CPUs, disks, etc.), while providing a convenient interface for users to create
both advance and immediate reservations. GARA uses the Globus Grid Secu-
rity Infrastructure (GSI) [5] for authentication and authorization. An attractive
feature of GSI is that it performs cross-domain authentication by relying on a
Public Key Infrastructure (PKI) and requiring users to have long term public
key (PK) credentials.
GSI provides coarse-grained access control. A flat file, called the gridmap
file, stores mappings from PK credentials (Distinguished Names, (DN)) to local
user names. A user is allowed access to Globus services if there is an entry
corresponding to this user in the gridmap file. This all-or-nothing access control
policy is extremely limiting. Authorization decisions in QoS are based on many
parameters such as the amount of available bandwidth, time of day, system
load, and others. We propose to control resource usage with a policy engine and
expressive security policies.
In this paper, we describe the design and implementation of a GARA sys-
tem that automates network reservations. The contributions of this paper are
twofold. First, we provide a fine-grained cross-domain authorization for GARA
that leverages existing security and group services, with universal access for
users. Second, we eliminate the need for long term PK credentials, currently re-
quired by the system. We also introduce a secure and convenient Web interface
for making reservation requests based on Kerberos credentials.
The remainder of this paper is organized as follows. Section 2 describes the
Kerberized Credential Authority (KCA) and Kerberized Credential Translation
(KCT) services and shows how they allow universal access to GARA by enabling a
reservation to be made via the Web, obviating the need to install Globus software
on workstations. Section 3 presents an architecture for distributed authorization
that employs a shared namespace, delegated authorization through secure and
trusted channels and a signed authorization payload, and the policy engine used
316 W.A. Adamson and O. Kornievskaia
Fig. 1. KX509 GARA Web Interface. This figure shows how local network re-
sources are reserved with the GARA Web interface. KX509 junk keys replace long
term PK credentials. Communications with the KDC, KCA, and KCT are Kerberos
protected.
Many sites, such as the University of Michigan, lack a PKI, but they do have an
installed Kerberos [14] base. The University of Michigan has developed a service
that allows users to access Grid resources based on their Kerberos credentials.
The KX509 [9,13] system translates Kerberos credentials into short-lived PK
credentials, or junk keys, which in turn can be used by browsers for mutual SSL
authentication or by GSI for Globus authentication.
Junk keys have several advantages over traditional long-lived PK credentials.
They have short lifetimes, so the revocation problem [1] is largely obviated.
While, in a traditional PKI, long term credentials put the ease of user mobility
in question, KX509 users can obtain new junk keys at each workstation.
KX.509 creates a new public/private keypair and sends the public key to a
Kerberized Certificate Authority (KCA) over a Kerberos secured channel. Using
the presented public key, the KCA creates and signs a short term X.509 identity
certificate.
In order to make network resource reservations convenient for users, we built
a GARA Web Interface. A user makes a reservation by filling out a GARA net-
work reservation Web form. All requests are SSL protected and require mutual
authentication. As opposed to a traditional password-based user authentication,
we use short-lived user certificates, priorly acquired with KX.509. After the Web
server authenticates the user, it contacts a Kerberized Credential Translation
(KCT) [13] server, presents appropriate credentials, and requests Kerberos cre-
dentials on the user’s behalf. Next, the Web server runs KX509 on the user’s
behalf, which creates a new junk key for the user on the Web server. This junk
key is then used to create Globus proxy credentials. GARA client code resides on
the Web server and uses Globus proxy credentials. Figure 1 gives an overview of
the GARA Web Interface.
A Practical Distributed Authorization System for GARA 317
such as the amount of requested bandwidth or start-time of the request are al-
ready encapsulated in a shared namespace in that they are coded as name,value
pairs in the request.
Signed authorization payload. At the remote service, we do not add a call-
back to the local group service to determine group membership, instead, autho-
rization information is added to the existing resource request.
The local GARA resource manager queries the local group membership ser-
vice for the subset of shared namespace groups in which the requestor is a mem-
ber, and passes the group list along with the request parameters to its policy en-
gine to make an authorization decision. If the request succeeds, the local GARA
resource manager creates an authorization payload consisting of the requestor’s
distinguished name and the group list. To secure the authorization payload, we
require the local GARA resource manager to sign the authorization payload be-
fore adding it to the reservation reply returned to the GARA client running on
the Web server. The reservation request is forwarded to the remote GARA who
validates the signature on the received authorization information before pass-
ing the group list as input to its policy engine. Thus we piggy-back the group
membership information on the existing reservation request communication.
Policy Engine. After all the requestor’s attributes such as group membership
and request parameters have been established, the fine-grained authorization
decision can be made. In general, policy engines accept attribute-value pairs
as input, compare the input attributes to a set of policy rules, and return a
pass/fail response. The granularity of the authorization decision is embodied in
the complexity of the policy rules that must be satisfied by the input attribute-
value pairs. To allow different policy engines, the authorization callout has a
generic API that passes information about the requestor and the action to the
policy engine. We chose KeyNote [2,3,4] for our policy engine because of its
flexibility and easy availability.
4 Implementation
SN_groups = retrieve_group_membership(requestor);
result = authorization_decision(requestor, action_description,
policy, credentials);
if(result == "allowed") do the requested action
else report action is not allowed
session_id = kn_init();
kn_add_assertion(session_id,policy[i]);
kn_add_assertion(session_id,credentials[i]);
for all actions in action_description
kn_add_action(session_id, action_description.attr,
action_description.value);
result = kn_do_query(session_id);
keynote-version: 2
local-constants: ADMIN_UM = "x509-base64:MIICrzCC"
authorizer: "POLICY"
licensees: ADMIN_UM
conditions: app_domain == "gara" &&
operation == "reservation" &&
type == "bandwidth" &&
((location == "local" && @amount <= 100) ||
(location == "remote" && @amount <= 10) ||
time == "night") && grid_bw == "yes");
Fig. 4. Trusted assertion stating KeyNote top level security policy. Note that the value
of the key has been truncated.
PTS Policy
KDC KCA KCT
GSI Engine
11 local domain
remote domain
GSI SSH
Gatekeeper GARA Network
12 14 Hardware
13
Policy
Engine
5. The Web server kx509 module acquires and caches junk keys on behalf of the
user as in Step 2. Then, the Web server globus proxy init module uses the
newly created keys to create user’s Globus proxy certificate.
6. The Web server gara module constructs a reservation request to the local
gatekeeper using the Globus GSSAPI SSLEAY protocol and the proxy cer-
tificate. The local GARA gatekeeper looks for an entry in the gridmap file
that matches the corresponding distinguished name – a field in the Globus
proxy certificate (from Step 5). The DN and local id are attached to the RSL
(Resource Specification Language) string.
7. Using the Nexus API for interprocess communication, the local gatekeeper
forwards the RSL to the resource manager (diffserv manager).
8. The local id is passed to the group membership function, which performs one
of several actions, depending on configuration and on whether the request is
from a local or remote user. If the authorization data in this RSL is null, the
request is from a user in the local realm. In our settings, group membership
function queries a Protection Server (PTS) – a part of AFS. The call can
be easily replaced by a query to any local group service such as an LDAP
service or a flat file. The call is performed over an authenticated channel
using the diffserv manager’s identity. Prior to accepting any connections,
diffserv manager acquires AFS tokens needed to authenticate with the PTS
server.
9. The group membership information acquired in the previous step, the reser-
vation parameters, and a policy file are passed to the KeyNote policy engine
that makes an authorization decision. If the request does not satisfy the cur-
322 W.A. Adamson and O. Kornievskaia
rent security policy, an error is returned back to the client and the rest of
the steps are not executed.
10. The setup flow Expect script uses SSH to communicate with the appropriate
network hardware and configures the network reservation.
11. This step is the same as Step 6 except this time the RSL carries the au-
thorization payload. We use auth-data as the attribute name. The value is
variable length. In our current implementation, the RSL is limited to 4KB,
at least enough to encode information 64 groups (assuming 64 byte names).
12. Same as Step 7.
13. Same as Step 9.
14. Same as Step 10.
This design lets us express many policies, including who can request which
network resources and when such requests are valid. In the example we presented,
the authorization payload is signed by one certificate, the remote GARA diffserv
manager. More broadly, a site may require the authorization payload to contain
assertions from other services. For example, a site might require that users be
U.S. citizens, verified by some specific Certificate Authority. Signed assertions
can be added to the authorization payload to accommodate such requirements.
5 Related Work
The Globus MyProxy [16] initiative provides a trusted server to store user’s
delegated credentials, indexed by a tag and a password. Later, a service can
contact a MyProxy server, present a tag and a password and receive correspond-
ing credentials (e.g., certificate or Kerberos ticket) on a client’s behalf. Each
service requires a different tag and password, forcing users to manage many
passwords. This approach requires users to type in their passwords into HTML
forms. HTML forms are easily reproduced by a malicious hacker who collects
passwords. He can obtain a certificate, signed by one of the default Certificate
Authorities supported by browsers, and run a Web server, providing a spoofed
login HTML form. However, by examining the credential, an activity most users
do not bother doing, the user can tell the login form is spoofed.
The Grid Portal Architecture [11] is a Web interface to Grid Computing
resources that uses MyProxy Services for client authentication. The GARA Web
interface differs from the Grid Portal in several important ways. Access in our
scheme is via done an https stream and requires mutual SSL authentication,
which in turn requires a user certificate, thus obviating the need for users to
type passwords in HTML forms, as it is done in the Grid Portal.
The Community Access Service (CAS) [15] is a proposed Grid authorization
service that the user calls prior to making a request for Grid resources. CAS
returns a signed capability to indicate a successful authorization request. The
capability is then added to the Grid resource request.
The GARA client is designed to contact each end domain GARA service. In
the future, GARA client will contact the first GARA service, which in turn will
A Practical Distributed Authorization System for GARA 323
contact other bandwidth brokers (BB), needed for the end-to-end reservation.
Sander et al. discusses the bandwidth broker to bandwidth broker protocol in
[18]. The Simple Inter-Domain Bandwidth Broker Specification (SIBBS) [19] is a
simple request-response bandwidth broker to bandwidth broker broker protocol
being developed by the Internet2 QBone Signaling Design Team. It is anticipated
that GARA will be an early development code base for SIBBS.
Our choice of policy engines was influenced by the availability of working
code. The modular design allows for use of other policy engines. Akenti [20],
and GAA API [17] were also considered. We acknowledge Akenti’s strength over
KeyNote in terms of credential management. On the other hand, Akenti imposes
a lot of overhead, not required by KeyNote, such as creation of certificates for
each of the clients.
6 Conclusions
References
1. Andre Arnes. Public Key Certificate Revocation Schemes. PhD thesis, Norwegian
University of Science and Technology, Kingson, Ontario, Canada, February 2000.
2. M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis. The KeyNote trust
management system version 2. RFC 2704, September 1999.
3. M. Blaze, J. Feigenbaum, and A. Keromytis. Keynote: Trust management for
public-key infrastructure. In Proceedings Cambridge 1998 Security Protocols In-
ternational Workshop, April 1998.
4. M. Blaze, J. Feigenbaum, and M. Strauss. Compliance checking in the PolicyMaker
trust management system. In Proceedings of Financial Cryptography, February
1998.
5. R. Butler, D. Engert, I. Foster, C. Kesselman, S. Tuecke, and J. Volmer. A national-
scale authentication infrastructure. IEEE computer, 33(12):60–66, December 2000.
6. Documentation: A Guide to GARA.
http://www-fp.mcs.anl.gov/qos/ qos papers.htm.
7. Documentation: Administrators Guide to GARA.
http://www-fp.mcs.anl.gov/qos/qos papers.htm.
8. Documentation: Programmers Guide to GARA.
http://www-fp.mcs.anl.gov/qos/qos papers.htm.
324 W.A. Adamson and O. Kornievskaia
9. W. Doster, M. Watts, and D. Hyde. The KX.509 protocol. Technical Report 01-2,
Center for Information Technology Integration, University of Michigan, February
2001.
10. I. Foster, A. Roy, and V. Sander. A quality of service architecture that combines
resource reservation and application adaptation. In Proceedings of the 8th Inter-
national Workshop on Quality of Service (IWQQOS 2000), June 2000.
11. Grid Computing Portal:
http://hotpage.npaci.edu/cgi-bin/ hotpage top.cgi.
12. IETF Internet Traffic Engineering Working Group.
http://www.ietf.org/html.charters/ tewg-charter.html.
13. O. Kornievskaia, P. Honeyman, B. Doster, and K. Coffman. Kerberized credential
translation: A solution to web access control. In Proceedings of the 10th USENIX
Security Symposium, August 2001.
14. C. Neuman and T. Ts’o. Kerberos: an authentication service for computer net-
works. IEEE Communications, 32(9):33–38, September 1994.
15. L. Pearlman, V. Welch, I. Foster, C. Kesselman, and S. Tuecke. A community
authorization service for group collaboration. In IEEE Workshop on Policies for
Distributed Systems and Networks, 2002. submitted.
16. MyProxy project. http://dast.nlanr.net/ Projects/MyProxy.
17. T. Ryutov and C. Neuman. Representation and evaluation of security policies for
distributed system services. In Proceedings of the DISCEX, January 2000.
18. V. Sander, W. A. Adamson, I. Foster, and A. Roy. End-to-end provision of pol-
icy information for network qos. In Proceedings of the 10th Symposium on High
Performance Distributed Computing, August 2001.
19. SIBBS. The simple inter-domain bandwidth broker specification.
http://qbone.internet2.edu/bb/.
20. M. Thompson, W. Johnson, S. Mudumbai, G. Hoo, K. Jackson, and A. Essiari.
Certificate based access control for widely distributed resources. In Proceedings of
the 8th USENIX Security Symposium, August 1999.
Design of a VPN Software Solution Integrating
TCP and UDP Services
Abstract. The main aims of Virtual Private Network (VPN) are to iso-
late a distributed network from outsiders, as well as to protect the confi-
dentiality and integrity of sensitive information traversing a non-trusted
network such as the Internet. However, some problems arise when secu-
rity is considered as the unique problem because VPN users suffer from
restrictions in their access to the network. They are not free to use tradi-
tional Internet services such as electronic mail exchange with non-VPN
users, and to access Web and FTP servers external to the organization.
This paper presents a new solution that allows the open use of traditional
network services running over TCP and UDP layers, while maintaining
strong security features. The new scheme works at the TCP/IP trans-
port layer and does not require the addition of new hardware because it
is a totally software solution. As a consequence, the application is totally
portable. Moreover, and because of its implementation at the transport
layer, there is no need to modify any traditional communication appli-
cations previously installed in the network system.
1 Introduction
The needs of digital communications for most of organizations have grown very
much during last years because of different reasons. For instance, globalization of
economy increases the demand of telecommunication among branch offices, and
inter-companies agreements impose that resources are shared. Thus, decreasing
the cost of telecommunication infrastructures is imperative.
Traditionally, companies have used leased lines with that purpose. The most
representative example is Frame-Relay service [2],[5], which is based on the trans-
fer of information frames between intermediate switching offices. The service,
that uses permanent virtual circuits (PVCs) through telephone network routers,
presents some drawbacks:
G. Davida, Y. Frankel and O. Rees (Eds.): InfraSec 2002, LNCS 2437, pp. 325–337, 2002.
c Springer-Verlag Berlin Heidelberg 2002
326 J. Lopez et al.
On the other hand, open networks offer a more profitable solution than leased
lines. Thus, for example, Virtual Private Networks(VPNs) use relatively low-
cost, widely available access to public networks to connect remote sites together
safely. Network architectures defined by VPNs are inherently more scalable and
flexible than classical WANs, and they allow organizations to add and remove
branch offices into their systems in an easy way.
However, and as shown later, the study of the different TCP/IP stack layers
reveals that the different solutions that enable establishing a VPN essentially
focus on security aspects. Their main aims are to isolate a distributed network
from outsiders and to protect the privacy and integrity of sensitive information
traversing the non-trusted open networks, as the Internet. These approaches fail
to be complete.
The main drawback in conceiving the security problem as the unique target
is that VPN users suffer from restrictions in accessing the Internet. That is,
they cannot freely use traditional services such as electronic mail exchange with
non-VPN users, and cannot freely access Web and FTP servers external to the
organization. Actually, within the same application, it is a difficult task to enable
generic Internet access to VPN users and, at the same time, to provide a strong
enough security model for the organization.
This work presents an approach to this problem, that is an extension to a
previous constrained approach [3]. We have developed a new security integrated
solution for VPNs that, while maintaining strong security features, allows the
open use of traditional Internet services that run not only over TCP (the case
of our previous solution), but also over UDP. The solution does not require the
addition of new hardware because it is an exclusively software solution. As a
consequence, the application is totally portable. Moreover, the implementation
is located at the transport layer; thus, it allows using those services running over
TCP (like FTP, Telnet, WWW, etc.) and also those running over UDP (that is,
real-time applications like audio and video-conferences), which are increasingly
being used in the Internet. Additionally, and as we will show, there is no need
to modify any software previously installed.
The paper is organized in the following way: Section 2 introduces the differ-
ent cryptographic solutions used in the TCP/IP stack layers to establish private
network communications over the Internet, focusing on their advantages and
disadvantages. Section 3 explains the two-module architecture of the new sys-
tem. Section 4 describes the operation of the first module, called Secsockets, an
extension of the traditional socket interface to which security features have been
added. Section 5 outlines the operation of VPN-Insel, the second module. This
is the part of the system that really establishes the VPN, and resides on the
Design of a VPN Software Solution Integrating TCP and UDP Services 327
interface of the previous module. Section 6 shows a real example of how the new
solution works, and section 7 presents concluding remarks.
IP address and the packet SPI in the packet header determine the security
association applied to an IPSEC header.
The combination of IPSEC protocols with routers or firewalls constitutes a
VPN solution, and it enables the use of traditional Internet services. Neverthe-
less, and because of its location, it is difficult to establish a security relationship
between two applications, which makes difficult to provide the same granularity
and control over authentication and encryption. Subsequently, and important
disadvantage of this solution is that the system automatically applies protection
according to the security associations between the host; users cannot decide when
to apply security mechanisms, which is inefficient for most cases. An additional
disadvantage is that architecture blocks communications to other non-trusted
computer systems and networks, so it does not enable generic Internet access.
Moreover, even if only solution existed, providing a VPN solution at this level
would make necessary to control that every single user updates his/her non-
secure applications with the selected security mechanisms. There is no doubt
that this management would be hard, not only for the establishment of the
VPN but also for any little change in the configuration of the VPN.
Main entity
Router
INTERNET
Branch
Router offices Router
The new design is divided into two sublevels, Secsockets y RPV-Insel. The
module Secsockets is the lower sublevel. It is an interface that works on top of
the traditional socket interface that provides access to TCP. The service offered
by Secsockets is the transmission of data from an origin process to a target one
through a secure and authenticated channel.
The module VPN-Insel is the upper sublevel. It uses the services provided by
Secsockets and, at the same time, it supports the applications with the VPN ser-
vices that these ones require. Next sections shows the operation of both modules
in detail.
4 SecSockets
Firstly, during the connection phase, mutual authentic ation is carried out. Sec-
ondly, there is a negotiation of the parameters (hash function, encryption algo-
rithm, and optional compression algorithm) that will be used during the com-
munication phase.
In this phase the two interacting parts have no secret key to share as yet. So,
the use of public key certificates provides mutual authentication and confidential-
ity during parameter negotiation. This enables communicating the secret key, so
avoiding the risk of a third party interception, and facilitating the identification
of VPN users because it provides a method to implement digital signatures.
We must point out that during this phase the TCP protocol is used regardless
the type of service that needs the creation of a secure channel. The reason of
using TCP is that we need a reliable protocol for parameters interchange, and
is widely known that UDP is not reliable at all.
The following are the steps that are done:
encryption algorithms that can be used are DES [10], IDEA [7], Blowfish
[17] and RC4 [15]. In case data compression is selected, the GZIP algorithm
is used.
3. Once the request is processed, the server sends a message to the client in-
dicating acceptance or rejection, encrypted with the client’s public key. In
case negotiation is accepted, it includes a random number that will be used
for the calculation of the key. If the channel to be opened is and UDP one,
then the message will include the port number where the server will listen
messages from the client.
4. Both client and server calculate the secret key that will be used during the
next phase: the communication phase. Random values exchanged in step 2
and 3 and the hash function negotiated in these steps are used to calculate
a bit string. The string is obtained from the following expression:
Additionally, and in the case the channel to be opened is UDP, the server
closes the TCP connection with the client, and opens a UDP connection to
wait messages from this one.
The service offered by Secsockets is to send data from a source process to a target
one through a secure and authenticated channel. Secsockets works as a connec-
tion oriented communication protocol based on the client/server paradigm.
Secksockets provides a group of functions. From the programming interface
point of view these functions work in a client/server mode. As we will see later,
the reason is that levels above Secksockets need an interface that helps in the
creation of parallel client/server systems. Also, working on this way, it is pos-
sible to use either TCP or UDP for the communication by changing only one
parameter.
The functions are the following ones:
– sec init( ): This function creates a connection point at the server’s end.
The point is initialized and the function assigns it to a local communication
port. Then the server remains in an idle state waiting for a client connection-
request through that port.
– sec accept( ): This function is invoked by the server to positively acknowledge
an incoming connection and immediately provides it with a new socket. After
accepting the connection the negotiation phase, under TCP, starts at server’s
end. A socket address, either TCP or UDP, according to the mentioned
parameter, is returned. Security parameters are returned too.
– sec connect( ): The client invokes this function in order to create a final
connection point. After a negotiation phase under TCP starts at the client’s
end, authenticating the other end and agreeing on the security parameters.
A TCP or UDP socket address and security parameters are returned.
From this point on, and following the parameters settled on during the nego-
tiation phase, it will be possible to perform securely the communication phase.
The functions of this phase are described next:
– sec recv( ): This function enables data reception through a secure socket
connection, decrypts them, checks their authenticity, and decompresses them
if necessary
– sec send( ): This function is symmetrical to the previous one. It compresses
data if this was negotiated, calculates the hash value, encrypts data, and
finally, sends them through the socket. These operations are performed ac-
cording to the negotiations of the client and server.
– sec close( ): This function erases the socket.
5 RPV-Insel
The module VPN-Insel uses the services provided by the interface Secsockets.
At the same time it supports the communication applications that run at the
upper level and provides them with the characteristic services of a VPN. So,
by making use of Secsockets security mechanisms, VPN-Insel offers users the
Design of a VPN Software Solution Integrating TCP and UDP Services 333
S1 S2
Creation
C1
Communication SAux
1. Clients (C1): represents the client software for those users who communicate
from a LAN.
2. Main server (S1). It runs in the main entity’s computer system (main LAN
in the organization). This type of process centralizes the VPN management,
controls other types of server processes, maintains a database with the in-
formation related to these servers (IP addresses), and provides information
about the VPN. There is only one of these processes in each VPN.
3. Secondary Server (S2): This server controls the local users (the users inside
its LAN) and decides which of them can log in to the VPN. It also attends
to their requests in the same way as the main server does. One secondary
server exists in each entity, i.e., in each LAN of the organization.
4. Auxiliary Servers (SAux): Auxiliary servers are created by the secondary
server to attend to users during a particular connection. They are interme-
diate processes within secure communications and make use of the functions
that the SecSockets interface provides, in such a way that security mecha-
nisms are transparent to client processes.
334 J. Lopez et al.
Then clients can start using the VPN to communicate securely with other
members of the private network. The communication among VPN members fol-
lows these steps:
6 Examples
In this section we show two scenarios that clarify how our solution works for TCP
and UDP services. In the first scenario we show how an FTP session is secured
inside the VPN. The second scenario describes an audio-conference between two
users.
The example scenario for FTP service is shown in figure 4. A client C1 wants
to connect to one FTP server in the VPN. The sequence of events is the following
one:
1. C1, started by the user, request a connection to S2, its secondary server.
Design of a VPN Software Solution Integrating TCP and UDP Services 335
S2 S1
5 S2’
2 7
1 6
8
C1 SAux-C SAux-S
3 9
FTP FTP
Client 4
Server
S1
S2 4 S2’
2 3 6
1 5 4
7
C1 SAux-S SAux-C C1
8 8
8 8
Audio Audio
Client Client
7 Conclusions
The study of the different TCP/IP stack layers reveals that the different solutions
that enable establishing a VPN pay most of their attention to security aspects.
These solutions focus on the isolation of a distributed network from outsiders
and on the protection of sensitive information traversing Internet. But the users
of these systems cannot freely use traditional services such as electronic mail
exchange with non-VPN users, and cannot freely access Web and FTP servers
external to the organization.
In this paper we have presented a new solution for the implementation of
VPNs at the transport layer that, while maintaining strong security features,
allows the open use of traditional Internet services that run over TCP and UDP
layers. As a consequence, it enables access to any remote node in the VPN and
outside the VPN. The solution is exclusively software, so its deployment does
not require the addition of new hardware or the modification of any existing one.
The solution allows an homogeneous control of all network services, which is
necessary to gain higher user confidence regarding the entire system. Moreover,
it does not require the modification of the software of traditionally insecure
applications such as FTP, HTTP, Telnet, electronic mail, etc. As a result, the
scheme is a simple and cheap solution for those organizations that want to install
a VPN.
References
1. Atkinson, R. Security Architecture for the Internet Protocol. RFC 1825, August
1995.
2. Black, U. Frame-Relay: Specifications and Implementations, McGraw-Hill, 1994.
3. Davila, J., Lopez, J., Peralta, R. Implementation of Virtual Private Networks at the
Transport Layer, Second International Information Security Workshop (ISW’99),
LNCS 1729, November 1999, pp. 85–102
Design of a VPN Software Solution Integrating TCP and UDP Services 337
4. Dierks, T., Allern, C. The TLS Protocol Version 1.0. RFC2246, January 1999.
5. Harbison, R. Frame-Relay: Technology for our Time, LAN Technology, December
1992.
6. Horowitz, M., Lunt, S. FTP Security Extensions. RFC 2228, October 1997.
7. Lai, X.; Massey, J. Hash Functions Based on Block Ciphers. Advances in Cryptol-
ogy. EUROCRYPT ’92, Springer-Verlag, 1992, pp. 55–70.
8. Linn, J. Privacy Enhancement for Internet Electronic Mail: Part I – Message En-
cipherment and Authentication Procedures. RFC 989, February 1987.
9. Microsoft Corporation. The Private Communication Technology, 1997.
10. National Bureau of Standards. Data Encryption Standard. U.S. Department of
Commerce, FIPS pub. 46, January 1977.
11. National Institute of Standards and Technology, NIST FIPS PUB 180. Secure Hash
Standard. U.S. Department of Commerce, May 1993.
12. Netscape Communications. SSL 3.0 Specification.
13. Ramsdell, B. “S/MIME Version 3.1 Message Specification”, Internet Draft, Febru-
ary 2002.
14. Rivest, R. The MD5 Message Digest Algorithm. RFC 1321, April 1992.
15. Rivest, R. “The RC4 Encryption Algorithm”, RSA Data Security, Mar 1992.
16. Schiffman, A., Rescorla, E. The Secure Hypertext Transfer Protocol. Internet
Draft, June 1998.
17. Schneier, B. Description of a New Variable-Lenght Key, 64-Bit Block Cipher (Blow-
fish). Fast Security Workshop Proceedings, Springer-Verlag, 1994, pp. 191–204.
18. Zimmermann, P.R. The Official PGP User’s Guide. MIT Press, 1995.
Author Index